Internet of Things Cartoon (C) Nitrozac and Snaggy

The Internet of Things (IOT)

For those of you that haven’t heard the term yet, the Internet of Things (IOT) is the general concept of connecting an autonomous device to the Internet.  Many of you may have already implemented devices at home like a learning thermostat, security camera or photo frame.  These things add neat features to make our lives more enjoyable, with one of the main features of transmitting data to or from the Internet.

If you are connecting such devices to your home network be sure to set passwords and update them regularly.  You should implement at least the basic firewall on your router.  But the problem is that many folks won’t practice basic security hygiene, and through poorly written software the entirety of the network may be at risk.

Sophisticated agents have targeted Xbox consoles and the PlayStation network ever since they were on the Internet, and it’s only a matter of time before they break down many of the devices that will be later taken for granted.  SCADA controllers, which are used in industrial systems (such as HVAC) aren’t even necessarily exposed to the Internet, yet they can be compromised.  For more on that, read on about Stuxnet.

I am not saying all of this to scare everybody and say that there are boogie men…but all of these neat new things are a bit troublesome to maintain securely (even for the big companies and governments mentioned above).  There isn’t a great answer on how to do this yet.  Maybe Google’s OnHub will be an answer?  Only time will tell.

I’m not saying that I’m immune to how cool and life changing some of these things are, but I know it’s only a matter of time before somebody will determine a method to leverage these devices as a platform to run a bot net or simply hop through a network to other devices.  At this point it’s still kind of the wild wild West until the first big breach happens and the media blows it up like the recent car exploits.

Don’t be too much of a Luddite, just be careful out there and keep your head up.

Emmet...I mean EMET

EMET is Easy

Whether you are an expert or a novice, a Microsoft fanboy or not, EMET is a great tool to install and enhance the security of your environment.

The most recent version can be downloaded directly from Microsoft for FREE here.

There is a prerequisite of .NET 4.  The full download is here.  There are two types of .NET, client side and full.  The full which the link goes to here is slightly larger and contains server side components.  Immediately after installing .NET 4 you will need to check for updates…there will be at least 4 (unless they update the download to slip stream them).

So now you have this tool installed…what does it do?  Why exactly did I install this thing again?  Oh yeah…security.

The way that EMET works is that it protects your system against common programming errors and attack vectors.  It is configured out of the box to protect Windows components, but requires some tweaking to monitor programs that you have installed.  You may want to exercise caution on implementing EMET on everything.  As Krebs mentions, implementing a program at a time and evaluating stability is a good idea.  The User Guide (aka Help) inside of the application explains how to configure via the GUI or the command line.  On most systems you can quickly deploy the most common settings using the following command lines:

“C:\Program Files (x86)\EMET 5.2\EMET_Conf” –import “C:\Program Files (x86)\EMET 5.2\Deployment\Protection Profiles\CertTrust.xml”

“C:\Program Files (x86)\EMET 5.2\EMET_Conf” –import “C:\Program Files (x86)\EMET 5.2\Deployment\Protection Profiles\Popular Software.xml”

“C:\Program Files (x86)\EMET 5.2\EMET_Conf” –import “C:\Program Files (x86)\EMET 5.2\Deployment\Protection Profiles\Recommended Software.xml”

As a former full time *NIX guy I have to say that Microsoft has really come around on the security front.  It’s just too bad that EMET is not included in the OS.  Some would argue that if they didn’t make a buggy OS, then this would be unnecessary…but we are where we are, and mitigation is better than nothing.  The features will still be standalone in Windows 10 (which was recently released).  Depending on how comfortable you are with tweaking things there is a lot of options and you can get deep in to it.  But the good news is that you don’t have to touch a thing and you will make yourself a more difficult target.  That is not to say that you will ever be totally protected, but as long as there is an easier target out there you are less likely to experience a compromise.

-Tony

Old Modem onion_layers

An Easy Layer of Security

Lets face it.  Not everything can be %100 secure.  That is one of the realizations we have to come to when it comes to computers.  There is nothing that will stop a determined intruder %100 of the time.  And if you haven’t heard this before, I’ll tell you here…it’s all about layers of security.  Adding a layer need not be complex.

I had an opening that I didn’t realize until a few months ago.  I got a shiny new cable modem from Bright House.  It has all kinds of cool features that are plug and play.  The thing that I found after a little digging is that there is a default password that is on the admin user.  That means that anybody who is on the Internet and has my public IP could potentially log in and “p0wn” it.

So I just wanted to mention this to everybody from my friends to the security professionals out there…you might want to look up the model number and the default password for your connection.

As soon as you lock that password down to something hopefully stronger than your dog’s name and a birthday you will become a less likely target for hackers as they will potentially move on to easier targets.

-Tony

We are experiencing technical difficulties...please stand by! wargames

What is Cybersecurity?

I am finally getting over chuckling about every time I hear the word cybersecurity.  The word cyber was coined to describe a human having intimate relations with a computer.  But from what I can remember there really was not a term for computer security specialists until after “hackers” started to come to light in the 80s.  So how did we get to cybersecurity?  I’m going to discuss one angle of it through the eyes of my current role.

The DoD was one of the first organizations to standardize computer security with the publication of the “Rainbow Series” books in the mid 80s and early 90s.  They developed a formalized risk assessment model dubbed Information Assurance (IA).

IA is more of a defensive stance on computer security.  It is based off of implementing specific controls in order to reduce risk.  And like any other government operation, it is very tedious and time consuming (think like doing your taxes, but about 10 times longer).

The general process for the legacy DITSCAP/DIACAP IA is to determine a classification and confidentiality level for your system.  If you are interested in seeing that information it is here.

After you have to determined how you want to classify your system, then you have to implement the standard controls to meet that level of risk.  These controls and a checklist are organized in DoD 8500.1 and 8500.2.  IA is typically not the group that will implement the controls, although this does seem to happen.  IA is more of an assessment role that provides guidance to administrators and system owners on their current status.  It is kind of like being a supply chain manager and assessor.  It is not a glamorous job, and there is a lot of paperwork.

That process has changed a bit now, and the Risk Management Framework has began to be implemented.  Different programs are at different points in the process, but the goal is to have systems be continuously monitored.  At this point in the eyes of the federal government the term IA is now Cybersecurity.  And there is still a lot of paperwork.

This is just the viewpoint from where I see it, and there are a lot of details that are left out since I don’t want to put everybody to sleep.

From a real world standpoint the DoD is doing the best they can with a very large group…their suppliers, partners and, of course, themselves.  There is an awful lot of moving parts to ensure that everything that should be done is actually happening.

I hope to get in to some of the tools of the trade in the coming months.

-Tony