[FINALS] IOT Vulnerability and Risk Assessment in an IoT System

Asset Identification

(Asset Management System, inventory records, network)

DREAD MODEL EXAMPLE <SEE PAGE 33 PPT>

A retail chain with 300 locations purchased network-connected (DVRs) for the security camera systems in each store. The DVRs are connected through the internet to regional offices that administer the DVRs and collect the videos. An embedded HTTP server in the DVR allows the device to be configured and controlled through a web page. ▪ The manufacturer of the DVR has published a notification regarding a recently discovered vulnerability. Threat actors can craft an HTTP cookie request and send it to the DVR embedded webserver. - For devices with this vulnerability, threat actors can gain control of the DVR, view live video, manipulate files, disable operations, etc. ▪ The figure shows that the rating for this vulnerability is High. ▪ Although the risk is High, the company will not update the firmware in all devices because the updating process is labor intensive and would prove costly

White box

Assessors have knowledge of the network systems and frequently operate from within the organization. They often focus on specific aspects of the system - insider knowledge of network

allowing a limited number of authentication failures before an account is locked out

Defeat brute force attacks by

Damage Potential, Reproducibility, Exploitability, Affected Users, Discoverability

What is DREAD acronym

Blockchain Hash

____________consists of blocks. Each block is a list of transactions, with a hash of the previous block and hash of this block including its PoW. • The _____________ is computed using the hash of the previous block (prior PoW), along with all the transactions in this block with their digital signatures. • This makes it computationally infeasible to modify a block or change the order of the blocks.

Zones <look image ppt> page 28

can be defined as areas of the system that require different authorization and authentication. ▪ Zones also help to limit the exposure of different parts of the system to the vulnerabilities that are associated with each zone. ▪ Example zones might be the sensor area of the network, web applications, the IP gateway and network edge, etc. ▪ Zones can be nested when components are located within another organization

Security as a service (SECaaS)

companies providea wide range of managed security services includingvulnerability scanning .• Alienvault, Qualys and Mandiant offer these services .• Cisco offers network penetration assessment as partof its portfolio of security products and services

NIST Risk Management Framework (RMF)

is a process that is cyclical and ongoing. (risk management strategies)

Zenmap

▪ Nmap's GUI form, called ___ can produce very detailed information about a single system or a range of systems on a network segment.

Software Scans

(Software Configuration, Software Versions, Vulnerable Services

1 Confidentiality Impact 2 Integrity Impact 3 Availability Impact

Base Metric Group Impact metrics include: • - measures the impact to confidentiality due to a successfully exploited vulnerability. • - measures the impact to integrity due to a successfully exploited vulnerability. • - measures the impact to availability due to a successfully exploited vulnerability.

Threat+Asset+Vulnerability = RISK

Formula for Vulnerability and Risk

Gray Box

Tester has partial knowledge of thenetwork systems they are testing including accessto the documentation of internal networkarchitecture. Goal is to verify the vulnerabilities,determine the ease of exploiting them, and todetermine the potential impacts of exploits. - Targetted knowledge of Network

Current Trust Systems

The trust these intermediaries provide include: • Authenticating that the person making the transaction is who they say they are. • Ensuring that all transactions made to the ledger areaccurate. • Not allowing any illegal transactions.

Risks

are those vulnerabilities assessed in the context of a specific organization.• A given vulnerability may have greater impact in one type of organization than another

Service Discovery

(TCP ports, UDP ports, Webservices)

Validation

(Whitebox test, Pentests, Testing Refinement)

Data Apps Identity Devices Others

5 types of assets

Decentralized Ledger Proof of Work - Validating transactions in a block

Blockchain uses a ________ with all interested parties maintaining a copy. ▪ The trust is ensured by everyone receiving and believing any new transactions. ▪ Everyone must be using and working with the exact same ledger. This is done using a process known as ____________.

Industrial Internet Control Systems (IICSs)

Enhanced approaches to authentication in IoTsystems must be considered when there is highrisk of damage or physical harm to people, such as in __

Security as a service (SECaaS)

Vulnerability Assessment Services

White box Black box Gray box

Vulnerability assessment can be classified into three types:

Vulnerabilities

are weaknesses in software and systems that can be exploited by threat actors in cyberattacks.

External Entity Process Data Store Data Flow

- users, contractors, and partners outside of the control of the system that send or receive data - Data output from sensing, actuating, traffic forwarding, analysis, control systems - data stored in local, log, cloud, or data arrow storage - single headed arrows indicates uni-directional data flow, double headed arrow indicates bi-directional data flow

Reputation Advantage Equipment Safety Others

5 types of consequence Loss from threat actors attack

DREAD model

Each threat identified by STRIDE must now be assessed for its degree of risk for the organization. ▪ The _____________ results in a quantitative risk score. ▪ This score can be used with risk cost assessments to evaluate the desirability and feasibility of mitigating a threat.

EXPLOITABILITY

HIGH - Easily carried out by inexperienced threat actor MEDIUM - requires skilled attacker LOW - Requires very skilled attacker or attacking organization

AFFECTED USERS (OR DEVICE)

HIGH - Enough devices to cause serious outages. All user who are up to standard. MEDIUM - some devices that are not patched or in up to current standard. LOW - Few users or device under edge case configuration or roles

1 Asset Identification (Asset Management System, inventory records, network) 2 Service Discovery (TCP ports, UDP ports, Webservices) 3 Software Scans (Software Configuration, Software Versions, Vulnerable Services 4 Validation (Whitebox test, Pentests, Testing Refinement) 5 Reporting

PROCESS OF VULNERABILITY ASSESSMENT

1 Identify Security Objectives (understand the system) 2 Document the IoT System Architecture (understand the system) 3 Decompose the IoT System (determine vulnerabilities & assess risk) 4 Identify and Rate Threats (determine vulnerabilities & assess risk) 5 Recommend Mitigation (mitigates threats)

Steps in Threat modeling Depth

Risk Identification and Risk Assessments

parallel the threat modeling approach. RMF closes the circle by including the risk response, response evaluation, and response assessment activities.

Base Metric Group two types: Exploitability Impact metrics

represents the characteristics of a vulnerability that are constant over time and across contexts .1) ________ - These are features of the exploit such as the vector, complexity, and user interaction required by the exploit. 2) _________ - Impacts of the exploit are rooted in the CIA triad of confidentiality, integrity, and availability.

Blockchain blocks Immutable

1) - is primarily known as the technology behind Bitcoin. ▪ It is gaining a lot of attention from those interested in finding better ways to secure transactions, including information exchanged by IoT devices. ▪ 1) ___________ is a technology that solves the problem of trust. • is a distributed ledger whose continuous growing list of records, called 2)__________, are linked together and secured using cryptography. • 3)_______________ unable to be changed.

5. Denial of Service

>> Cause device to be unavailable to perform legitimate functions due to illegitimate traffic, data, or software - crashing a website - sending data absorbing CPU cycle, storage, or device power resources

3. Repudiation (Anticipatory Breach)

>> Disabling ability to prove or disprove events - corrupt or destroy log files - alter data record timestamps

1. Spoofing

>> Impersonating a legitimate user or device - pretending to a valid user or device - pretending to be another server - laptop impersonates Io gateway to perform man in the middle data interception

4. Information Disclosure

>> Making Privileged information available to unauthorized parties - gathering sensitive information from log files - using SQL injection to steal personal data from web application

2. Tampering

>> Modifying data, code, or device - Modifying sensor data - Physical device Hacking

6. Elevation of Privilege

>> Obtaining higher privileges than would normally be authorized - allowing remote user to run commands, switch from a limiter user to admin - using intercepted credentials to logon to data dashboard

2 Document the IoT System Architecture (understand the system) Data flow diagrams (DFDs)

After the security objectives are identified, the functions of the system architecture should be diagrammed __________________ are extremely useful for visualizing an IoT system. • DFDs depict the pathways that data will take between different functional components of the system, including entry points into the system and the devices and people using those entry points.

1 Attack vector 2 Attack complexity 3 Privileges required 4 User interaction 5 Scope

Base Metric Group Exploitability metrics include: • - reflects the proximity of the threat actor. • - expresses the number of components, software, hardware, or networks, that are beyond the attacker's control and that must be present. • - captures the level of access that is required. • - expresses the presence or absence of the requirement for user interaction. • - expresses whether multiple authorities must be involved

Blockchain Trust System

Blockchain accomplishes trust in a very different manner. ▪ Cryptocurrencies such as Bitcoin do not use an intermediary to ensure the trust of the transaction. ▪ Instead, Bitcoin uses the blockchain itself to provide that trust between the buyer and the seller. ▪ This can be applied to any type of application that uses some type of transaction or ledger.

Blockchain Applied to IoT Security

Blockchain can be used to help solve many of the security and trust challenges for IoT: • Tracking sensor data measurements and preventing malicious data. • Providing IoT device identification, authentication, and secure data transfer. • Allow IoT sensors to exchange data directly with each other securely without an intermediary. • A distributed ledger eliminates a single source of failure within the IoT ecosystem. • IoT deployment is simplified and operation costs of IoT are reduced because there is no intermediary. • IoT devices are directly addressable with blockchain, providing an immutable history.

How Blockchain Works: Blockchain Features

Blockchain is a continuously growing list of transactions in the form of blocks. These blocks are linked and secured using cryptography. ▪ A blockchain uses the following: • Digital signatures • Decentralized ledger • An algorithm for reaching consensus • Each block includes the hash of the previous block, forming a chain of blocks known as a blockchain.

IoT and Blockchain

Both IoT and blockchain are disruptive technologies - a product or service that enters the market with a vastly different, even revolutionary approach. ▪ Cisco Systems is one of the leading members of the Trusted IoT Alliance, a consortium of 17 companies to help establish a standard protocol for a blockchain-based IoT security solution.

CVSS v3.0 Calculator Temporal and Environmental metric values

CVSS process uses a tool called the _________________ • The calculator is similar to a questionnaire in which choices are made that describe the vulnerability for each metric group then is score is generated. • In addition to the numeric severity rating a vector string is also created that summarizes the choices made. • The __________ & _______________ metric values then modify the Base Metric results to provide an overall score.

IoT gateways Edge devices Control applications

Components included in an IoT system DFD: • IoT devices • _____ - Enable sensor data to be sent across the IP network. • Local applications • __________ - Enable internal IP traffic to be sent between locations and the internet or cloud. • Data applications • Data storage • _________ - Process data in order to make decisions that enact control. • Mobile applications

External Entity - users, contractors, and partners outside of the control of the system that send or receive data Process - Data output from sensing, actuating, traffic forwarding, analysis, control systems Data Store - data stored in local, log, cloud, or data arrow storage Data Flow - single headed arrows indicates uni-directional data flow, double headed arrow indicates bi-directional data flow

DFDs use 4 symbols to represent these devices.This course uses Yourdon and Coad symbols. External Entity Process Data Store Data Flow

dread <shown in page 32 ppt>

DREAD Small modifications may be required to apply these models to IoT systems since they were developed for software systems. ▪ Each vulnerability identified by STRIDE is rated according to the five DREAD categories. The rating values are: • 3 = high • 2 = medium • 1 = low ▪ Figure shows the meaning for the metric values for each category. These values are relative to the organization and system which is affected by the vulnerability

1 Identify Security Objectives (understand the system)

First step is to determine what the security objectives are for the system, based on its purpose and operation. ▪ Important to understand what type of data is handled by the system and the consequences of data theft or destruction. • Will data loss result in financial losses? If so to what degree? • Will the reputation of the company be damaged? If so, what are the business impacts? ▪ Governments and other organizations are enacting regulations that govern how data is gathered, transmitted, and stored. • Violations of these regulations can result in serious financial and legal penalties. ▪ Critical infrastructure systems must always be available, disruptions can have serious impacts.

REPRODUCIBILITY

HIGH - Every attempt will be successful MEDIUM - Estimated to work half the time LOW - Difficult to reproduce exploit requires special conditions

DAMAGE POTENTIAL

HIGH - System down or under threat actor control; damage to people or facilities MEDIUM - Loss of Important data; some temporary system compromise or loss of availability LOW - Minor to medium loss of data or system impact

DISCOVERABILITY

HIGH - Widely known in the attacker community. High value to attackers. MEDIUM - Little known and not widely present, some benefit to threat actors LOW - little known and of little interest.

threat-vulnerability (T-V)

Identification and matching of threats with vulnerabilities is called___________pairing. - T-V pairs can be used as a baseline to indicate risk before security controls are implemented. • Baseline can be compared to ongoing risk assessments as a means of evaluating risk management effectiveness. • This determines the inherent risk profile of an organization. ▪ Risks may be scored or weighted as a way of prioritizing risk reduction strategies.

Brute force Dictionary Attack Password Sniffing and Cracking

Password Vulnerability Tools Weak passwords on IoT application portals are a concern. ▪ Several common types of password attack methods that can be used to assess password security

Password sniffing and cracking

Protocol analyzers can be used to intercept authentication traffic that contains hashed passwords. Hashed passwords may also be discovered in the file systems of IoT devices. Tools such as John the Ripper and Aircrack-NG can be used to attempt to break the hash encryption

Risk Management Strategies 1. risk identification (identify assets, vulnerabilities, threats) 2. risk assessment (Score, weigh, prioritize risks) 3. risk response planning (determine risk response, plan actions) 4. response implementation (Implement risk response) 5. monitor and assess results (Continuous risk monitoring and response evaluation)

Risk Management Strategies (5 IN ORDER)

Bug Bounty Hunters

Talented ethical hackershired by crowdsourced security services to testtheir clients' networks. • Company has access to a wide range of creativehacking talent.

Risk Response: Risk avoidance (Terminate) Risk reduction (Treat) Risk sharing (Transfer) Risk retention (Tolerate)

The four "T's" of risk response: •- Stop performing the activities that create risk; eliminate the risk by ceasing the activity that is the source of risk • - Decrease the risk by taking measures to reduce vulnerability; Take action to mitigate the threats that generate risk to reduce probability or impact • - Shift some of the risk to other parties; share the risk with other parties such as insurers and security as a service organizations • - Accept the risk and its consequences; accept the risk and tis consequences. take no action to reduce the risk ▪ The figure shows that a guide to deciding which response to take involves weighing the potential impact of the risk against the probability that it will occur.

Black Box

This assessment is the closest to an actual attack. The assessors, who are usually working for a third party, have no knowledge of the network architecture. - no knowledge of network

Brute force

This attack is a very time consuming, inefficient, automated means of trying every possible combination of letters, numbers, and symbols to challenge logins

Dictionary attack

This attack uses lists of words that could be used as passwords.

Attack-centric Defense-centric Asset-centric

Three approaches to threat modeling: • - from the point of view of the attacker. • - analyzes the architecture system to identify threats to different elements. Used in this class. • - focuses on classifying assets and assigning value to them

Current Trust Systems

To best understand how blockchain technology works, we should first look at how trust works in our current monetary system. • When we purchase goods or services, both parties agree on the method of payment. Typically, traditional currency such as cash, debit card, credit card, or a check.' • We rely on a third party, an intermediary, to guarantee the financial transaction between the buyer and the seller, for example, a bank, usually charging a fee. • These financial transactions are typically recorded in a single, centralized ledger which we trust is accurately maintained

OWASP ZAP OpenVAS Burp Suite

Web Application Vulnerability Tools (3)

Reaching Consensus: Proof of Work

___________is an algorithm (hash) performed by computers that requires a large amount of computational work in relatively short amount of time. These computers are known as miners. - A block includes transactions along with their digital signatures. ▪ Validating transactions in a block uses a process known as

Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, and Elevation of privilege (STRIDE)

approach provides a set of categories that are very helpful for identifying potential threats in IoT systems. - provides a classification scheme for identifying threats foreach element of the DFD - Understanding which vulnerabilities are relevant to which system elements will help save time in the threat modeling process.

Port mapping tools

are used for discovering openports on end systems and network devices. ▪ Examples are Nmap, Netcat, or SolarWinds PortScanner. ▪ Nmap's GUI form, called Zenmap can produce very detailed information about a single system or a range of systems on a network segment. • Can discover hosts on the network.• Can report the open ports. • Can identify the operating systems that are running on hosts. • Can reveal details about the services that are running on the open ports including the software versions in a process known as fingerprinting.

Trust Boundaries <look image ppt> page 29

boundaries delimit sections of the network where the level of trust between entities at either end of a flow is different. • For example, data flowing from an IoT Gateway to Cloud Gateway crosses a trust boundary. • The permissions for the IoT Gateway are different than those for the Cloud Gateway, which is exposed to the internet and accessed by many users. • Data traffic that crosses this boundary must be authorized and authenticated at the incoming device.

Penetration testing (pen testing)

consists of actualfocused attacks that uncover the potential impactsassociated with known vulnerabilities. - is an assessment tool used in black boxtesting - the hackers operate with no knowledge ofthe internal workings of the target system. - Skilled ethical hackers take on the role of threatactors and launch actual attacks that are meant toreplicate what malicious hackers might do. - Pen testing is also used to confirm that vulnerabilitiesidentified in other vulnerability assessments do exist-Gray box testing. - Pen tests are used to confirm that measures taken toeliminate a vulnerability have been effective.

NIST National Vulnerability Database (NVD)

enhances Common Vulnerabilities and Exposures (CVEs)with additional analysis, a database, and a fine-grained search engine

OpenVAS

framework combines a number of vulnerability scanning tools into a unified application that includes vulnerability data storage, scan scheduling, and reporting.

United States National Institute of Standardsand Technology (NIST

has guidelines for digitalidentities.

Vulnerability assessment

identifies vulnerabilities that are likely to be exploited by threat actors. Vulnerability assessments can beroutinely and regularly conducted,or may be targeted at specificcomponents of an IoT system. ▪ Vulnerability assessments arefrequently performed using off-the-shelf-tools such as those found inKali Linux.

Burp Suite

is a comprehensive group of web application vulnerability testing tools that can identify the presence of the OWASP top 10 vulnerabilities. It includes a scanner, a configurable automated attack tool, and a web crawler that can map the file system of a web application.

A digital signature

is a mathematical scheme for demonstrating authenticating digital information .▪ cannot be copied because it is always different. • It uses the message or transaction to help derive the signature. • Changing the message even slightly makes the _________ completely different. ▪ involve the message(or transaction), a private key, and a public key as shown in the figure.

he Open Web Application Security Project(OWASP)

is a primary reference for web application vulnerabilities. The OWASP ZED Attack Proxy (OWASPZAP) is a free open-source vulnerability assessment tool used for black box pen testing.

Threat modeling

is a proactive approach to assessing security of systems and software. Threat modeling is best applied throughout the development process.

Common Vulnerability Scoring System (CSVSS)

is a risk assessment designed to convey the common attributes and severity of vulnerabilities in computer hardware and software systems - requires the assessor to selectvalues in three metric groups for each vulnerabilitythat has been identified

CVSS 3.0

is a vendor-neutral, industry standard,open framework for weighting the risks of avulnerability using a variety of metrics. • These weights combine to provide a score of the riskinherent in a vulnerability. • The numeric score can be used to determine theurgency of the vulnerability, and the priority foraddressing it. • Does not include metrics around the issue of safetybecause it was designed for IT security. Futurescoring systems should include additional metricsspecific to IoT implementations.

CVSS Base Metrics Group

is a way to assess security vulnerabilities found in software and hardware systems. • It describes the severity of a vulnerability based on the characteristics of a successful exploit of the vulnerability. • The other metric groups modify the base severity score by accounting for how the base severity rating is affected by time and environmental factors.

Level of Risk

is dependent on the value of theasset, the vulnerability of that asset within thecontext of the software and systems on whichthey are used, and the likelihood that threats willbe successfully executed against that asset.

Username

is essential - account lockout can be a malicious denial of service in whichattackers intentionally try to lockout legitimateusers

OT communication

is frequently M2M withhumans monitoring and controlling industrial,energy, environmental, or smart city systems,among others

HackerOne

is one of the first companies to provide these services. • Also tests core internet technologies such as Open SSL, various servers such as Nginx and Apache, and languages such as PHP, Python,and Perl. • Enlists nearly 100,000 hackers to discover vulnerabilities and have paid millions of dollars in internet bug bounties

Cisco Talos Intelligence Group

is one of the largestcommercial threat intelligence teams in the world.• Talos defends Cisco customers against known andemerging threats.

Environmental Metric Group

measures the aspects of a vulnerability that are rooted in a specific organization's environment.

Temporal Metric Group

measures the characteristics of a vulnerability that may change overtime, but not across user environments.