SAN FRANCISCO -- Members of the SANS Institute presented their 2014 outlook on dangerous attack techniques at the...
RSA Conference on Tuesday and offered up defense strategies to a packed audience of information security professionals.
At best, think of air gaps as low-latency connections.
Mobile and wireless threats have moved beyond malware as attackers use these platforms to perpetrate attacks. In the past 12 months, SANS researchers have seen a big uptick in wireless skimming using Bluetooth. "This is only scratching the surface," said Ed Skoudis, the SANS instructor who leads the curriculum for pen testing. Bluetooth's frequency hopping and lack of security tools make it hard to detect. RFID skimming in hotel and retail environments that use RFID cards or other ID information is another cause for alarm. "Attackers are using mobile for the same reasons that we are," Skoudis said. Basic defenses include turning devices off or using them in airplane mode. If your devices rely on proprietary hardware, it's a mistake to assume that you are safe, said Skoudis, who noted that reverse-engineering of hardware isn't that hard.
Isolating secured networks or systems using air gaps is also dying, said Skoudis, who pointed to recent side-channel attacks such as the RSA Key Extraction via low bandwidth acoustics analysis -- sound -- in 2013 and badBIOS incidents last fall (real or not). Air gaps can also be bridged using USB devices, pervasive wireless and DNS resolves. Security models relying solely on air gaps need other measures, namely defense in depth. "At best, think of air gaps as low-latency connections," he said.
Despite the incessant buzz around the Internet of Things, "hacking all the things" presents a growing threat to enterprise environments. Thermostats, heating, ventilation and air conditioning (HVAC) and numerous other devices sport Web-based interfaces which are HTTP -- not HTTPS -- and have custom protocols. In addition to reverse-engineering the underlying embedded systems on these devices, numerous cases of hackers taking root control of embedded Linux on webcams were reported in the last 12 months.
The future may hold hacks on "trains, planes and automobiles," Skoudis noted. Talks at several hacker conferences demonstrated the possibilities of remotely hacking transportation that's physically controlled by computers, including airplanes (Hack In The Box Amsterdam 2013), cars by injecting Python code (Def Con 2013) and train systems in Spain (Def Con 2012).
In addition to well-known areas of concern -- power grids, healthcare environments, hospitals and weapon systems -- IT security professionals in enterprise environments need to secure all Internet-connected devices. So where to start? Inventory and discovery of these devices, segmentation (where you can) and implementation of a rigorous patching system where possible, Skoudis advised. "I think we are going to end up in a world where you are going to have to patch your HVAC systems every month," he said. Securing these devices is going to require automation and a push on vendors to test for security in their designs, and to supply vulnerability information and patches quickly once the products have shipped.
Bitcoin is another area stirring up security issues, especially for users who don't really know how it works. Bitcoin mining, in which miners maintain distributed transaction registers in exchange for bitcoins, is the one area "that gives criminals a direct method to convert your CPU power to cash," said Johannes Ullrich, chief technology officer and dean of research for SANS' Internet Storm Center. "Last week, MIT had to kick out a student who turned the university's super computer into a bitcoin-mining operation." Cases of bitcoin theft -- recent instances involved Android wallets and QR codes -- and bitcoin-mining malware, in which "bitcoin-mining software is installed as an add-on to other software," have also been reported.
Security issues involving point-of-sale (POS) malware and Dexter, which affects Windows-based systems, continue to plague merchants. The data is usually intercepted before it's encrypted or reaches the network, according to Ullrich. "It is not just the targets that are getting infected -- large companies are spending money on information security -- the real problem here is the mom-and-pops, gas stations and vendors like that." More than half of POS systems run on some form of Windows XP. In addition to dedicated POS systems -- not used for casual Internet access -- retailers need to encrypt on the reader, according to Ullrich.
More RSA stories
View all of our RSA 2014 Conference coverage
Nontechnical attack methods also continue to have surprising success. Harvesting social media in an effort to find individuals who deal with accounts payable or payments systems in larger organizations or banks is an ongoing issue. Attackers craft targeted emails (phishing) in order to take over webmail accounts and access payment-related traffic. Defenses include better email authentication through the use of DomainKeys, Sender Policy Framework, and domain-based messaging authentication, reporting and conformance.
Security professionals must to assume their systems have been breached and then think about what that means in the real world, advised Mike Assante, director of industrial control systems programs at SANS Institute. Attackers use well-worn methods to access industrial control systems by infiltrating a few workstations and viewing drive mapping, network shares and internal directory services. Then they use appropriate credentials to map directory services, which makes them difficult to track. "File systems are scavenged by looking for specific extensions or very specific strings," he said. High-value, high-trust control assets and corporate Active Directory services -- which Assante described as "keys to the kingdom" -- should remain in separate domains with no relationship to business networks so that attackers do not have access to supervisory control and data acquisition networks. A new architecture for industrial control systems is being developed, according to Assante.
One of the biggest challenges is getting control system engineers and IT security to work together, noted Alan Paller, director of research at SANS Institute. Shell Oil Company recently launched a program to address this issue. Assante helped develop the program, which requires education on both sides and everyone involved -- control systems engineers and IT security alike -- must pass the Global Industrial Cyber Security Professional certification.
The "Seven Most Dangerous Attack Techniques and What's Coming Next" session took place on the first day of RSA and will be repeated on Wednesday.