物联网的阴暗面:潜在的威胁比比皆是

托尼Kontzer

2017年1月6日

随着物联网以这样或那样的方式进入每个企业, it's critical that organizations brace themselves for the risks that come with an around-the-clock network of devices exchanging data. And make no mistake: The risks are numerous, and the list is getting longer all the time.

不管你喜不喜欢, the IoT is a tempting new target and is also a platform for launching new approaches to tried-and-true attack strategies.

更重要的是, 物联网的本质——嵌入式设备, 收敛, 基于云计算的控制, and a wide variety of communications protocols — adds some serious challenges to IT security teams' to-do lists. 艾德·斯库迪斯报道, SANS研究所的教员研究员和渗透测试课程负责人, put it during a keynote panel at the RSA Conference in San Francisco in February, “这件事真的很复杂, 非常快."

换句话说, IT security teams need to come at securing this fast-growing area with new tools, 新鲜的观点, 以及一些严肃的风险分析. 在上一篇文章中(链接到第一篇文章), we established the push and pull of the IoT — that it represents significant business opportunities that more than balance out this expanded universe of threats. Now let's drill down into this growing threat profile for a better understanding of what organizations should expect to face.

Ransomware

勒索软件已经演变成攻击者最喜欢的方法, but the IoT is allowing this category to evolve into something much more nefarious. 在物联网之前的“旧时代”,“勒索软件攻击非常具体:坏人可以访问一些数据, 把它锁起来, 要赎金才能拿回来. But attackers have figured out that the IoT allows them to achieve the same result in many new ways.

For example, attackers can use the IoT to literally shut down portions of a business. We saw this last year when attackers took over the room key system of a hotel in Austria. 攻击者有可能接管制造设备, 交通灯控制, 甚至是警察和消防调度系统. 其可能性令人眼花缭乱.

即使是看似平凡的物联网资产也可能帮助坏人实现他们的目标. Skoudis told the RSA Conference audience that a recent attack on the San Francisco Transit Authority interrupted its ability to take payments, 但并未影响其MUNI列车的运营能力. SFTA simply allowed passengers to ride for free until it had shored up the vulnerability, 在这种情况下，不支付赎金. 下次，SFTA可能就没那么幸运了.

Things can get even more esoteric when attackers start using the IoT to make it seem 好像有直接的威胁.

“如果我能让别人相信我能控制一些事情, 这真的是利用心理学来赚钱,“吉尔·索雷博, 政府和医疗保健咨询公司Leidos的首席网络安全策略师, 在RSA会议的一个小组讨论中说道.

That psychology will become even more powerful as attackers get more brazen with their demands. 因此，不要指望未来的攻击只会索取1美元,袭击者向奥地利酒店索要800美元赎金. Eventually, the bad guys will figure out their targets' optimum pain threshold.

"They're working on their pricing strategy," Sorebo quipped at the RSA Conference.

DDoS攻击

The potential damage that can be inflicted in an IoT DDoS attack is downright nerve-wracking. The IoT-based attack that used security surveillance cameras to bring down more than 1200 web sites around the world last fall will seem like a trifle compared to the possible scenarios the security community is envisioning.

以所谓的智慧城市为例. 圣地亚哥, which has jumped to the forefront in connecting its array of services via the IoT, 能在很多方面被深思熟虑的攻击所削弱吗.

"Imagine a hacker targeting a city by compromising IP cameras and bringing down police and fire department eyes on the city,——查德·巴彻, senior VP of product strategy and technology alliances for security firm Webroot, 他在RSA会议上说. “这比传统It环境的风险要大得多."

端点扩散

多亏了物联网, the sheer number of possible points-of-entry and devices to protect is steadily growing beyond what most IT teams can keep up with. 继续智慧城市的例子, Bacher指出了物联网所呈现的攻击向量的扩展情况, 带远程IP摄像头, 交通信号, 连接汽车, 下水道和供水系统, 电网…这个清单还在继续. 所有这些端点都在相互通信, creating a monumental challenge in managing and securing all of those data flows.

Ed Fok, a transportation technologies specialist with the Federal Highway Administration, got RSA Conference attendees thinking hard when he offered up a scenario in which hackers cut off the warning systems on self-driving cars, 从而防止警告驾驶员即将发生事故的警报. Suppressing an alert could have implications in a number of IoT-enabled settings, 这引发了人们对黑客能够真正“武器化”物联网设备的担忧.

The takeaway is that security teams tasked with locking down IoT devices and networks have to turn over every rock in doing so.

“我们看到了以前从未见过的切入点,霍启刚说。, 拒绝提供详细的例子，以免给坏人通风报信. “我们只能说我们正在寻找，就此打住."

内部威胁

The potential for IoT devices and systems to be used by a disgruntled employee or contractor to launch an attack on their employer represents fertile ground. And given that an insider threat field guide recently released by Intel offers up a matrix of more than 60 attack vectors, IT安全团队必须考虑很多可能性.

改变风险概况

The evolution of all of these attack categories serve as a reminder that the IoT increases the speed and scope with which risk profiles are changing. 这对网络基础设施的影响是广泛的, 因为需要加强扫描和监测活动, 网络情报能力也是如此. 从本质上讲，组织需要更加努力地做好准备.

“我们已经在努力考虑10-15年后的事情, 我们需要建立什么样的弹性网络呢?圣地亚哥市首席信息安全官加里·海斯利普对RSA会议的与会者说. “我对我们引进的这些新东西非常偏执."

他理应如此. But that paranoia shouldn't stop organizations from taking full advantage of all the IoT has to offer. That said, they must take every necessary step to ensure that they've armed themselves sufficiently to prevent the IoT's inherent vulnerabilities from spiraling out of control.

解决黑暗面需要从你的网络基础设施开始. 了解更多 about the IoT, its impact on your organization’s network and how ALE can help you address it.