Since the first days of networking just two or three computers together over a plain old telephone service (POTS) line there have been individuals hell bent on hacking into to those networks. Reasons for hacking other users' systems range from mildly mischievous to ludicrously larcenous. Government agencies and financial institutions have been the prime targets of intruders since day one, but ever since the rise of the internet, everyone and every group is a potential target.
Naturally there has been no shortage of measures taken to thwart these attacks. There is a plethora of anti-virus, encryption, anti-malware, and anti-spyware applications available as well as firewalls, all ranging in price from free to ridiculously high sums of cash. And for every established and/or emerging solution, free or otherwise, there's an army of villains out there figuring out how to hack through.
On occasion, a major commercial outlet such as Target retails stores or a government agency like the IRS gets hacked and the personal information of thousands of people are compromised. The mainstream media wastes no time in reporting these incidents and in a manner that could scare the deceased. These events are unfortunate, but they kind of come with the digital territory.
Equally unfortunate is the sterility of cybercrimes and attacks. Identity theft and related crimes over the internet are faceless and emotionless events. The victim is essentially alone and often not aware that he or she is a victim for some time after the crime was committed against them. One could say that in some respects it's safer than getting held up at gunpoint. Yes, it's also safer than a sharp stick in the eye, but crime is crime, even without the blood.
As we approach this, wondrous age of the Internet of Things (IoT), there will be even greater opportunities for cyber theft, general mischief, and, the somewhat latest craze, cyber terrorism. Simply observed, the more stuff you hook up to and control from the internet, the more potential victims there are for the picking.
In this multipart article, we will be speaking to professionals actively involved with business of keeping systems secure on the digital ocean. In this issue we'll be talking with Captain Brent Chapman.
Captain Chapman is a member of the Army Element of the Defense Innovation Unit Experimental (DIUx) in Silicon Valley, CA. He was previously a researcher at the Army Cyber Institute and Instructor in the Department of Electrical Engineering and Computer Science at the United States Military Academy. Currently an officer in the U.S. Army's Cyber Warfare branch, he has prior experience as a cryptanalyst and network engineer. In addition to having several industry certifications, he also holds a BS from West Point and MS from Carnegie Mellon University, both in the fields of information technology and security.
Captain Chapman has also been recognized for his expertise in the areas of rapid fabrication, innovation, and security, earning him invitations to speak at the National Maker Faire, Shmoocon, Cyber Talks, MakerCon, World Maker Faire, The Future of War Conference, and AUSA. For more information, visit his personal website at http://www.brentmorelabs.com.
We asked Captain Chapman a series of security related questions as follows.
MD: Cyber threats have gone way beyond the antics of mischievous hackers and identity thieves. Although financial institutions are always fair game for cyber thieves, government and military institutions are becoming prime targets for both cyber invasion and terrorism. Currently, what do hackers have in their sites beyond the typical targets such as banks, individual citizens, and commercial outlets?
Capt. Chapman: Over the past few years, several trends have emerged when investigating compromised systems. I'll mention two that are particularly interesting to me. The first is, in part, a result of increased access to affordable computing hardware and free, yet powerful, software. "Hacktivism" has become an effective way to get attention through malicious computer activity. It's characterized by the misuse of computer systems to further a social or political cause. Organizations like Anonymous have gotten national attention because of their ability to call large groups of individuals together and, using these low-cost tools, launch hacking campaigns against targets such as the KKK, governments, police organizations and even ISIS. They lack centralized command-and-control, but are often very effective in disrupting networks.
The second trend has to do with hackers abusing weaknesses in non-traditional network-connected products. Using commandeered baby monitors for example, criminals have verbally abused children, sent ransom messages to parents and even used the camera as reconnaissance before committing burglary. Compromising these types of cyber-physical devices evokes a understandably visceral reaction because the result are so tangible. This, of course, isn't restricted to just toys and home automation products. Sensitive industrial equipment have been targeted by well-organized attackers with very alarming results.
MD: Internet security concerns are ever escalating. It seems that the moment a solution against digital invasion is in place, someone or some group finds a way to circumvent it. Is it possible to create an impenetrable system that exists on the Internet or would the system have to be hardwired, standalone and inaccessible to anyone other than authorized personnel?
Capt. Chapman: Security protocols are designed to prevent unauthorized access to the information within a system, while ensuring that the systems is available to, and accessed by, only those who are authorized. Achieving a high level of security on these system sometimes proves so burdensome that, much to the chagrin of systems administrators, users often take shortcuts.
Consider the scenario in which a rigorous password policy is in place that requires a user to select a password that is 20 characters in length and contains a combination of upper and lower case letters, numbers, and special characters. One would say that this is a very secure password indeed. However, when we consider that this user very likely writes that password on a sticky note located under the keyboard for fear of being locked out of the system, we quickly realize the problems with such a policy. This is the basis of the never-ending battle that is usability vs. security.
These concepts ought not to be mutually exclusive, but since security was an afterthought in many of the systems we use, system owners and users are forced to prioritize one over the other. There is no single product anywhere that will provide complete protection, and believing that we can find such a panacea is a fatal pursuit. For the time being, we'll continue towards striking balance between usability and security, and also use a combination of methods to achieve maximum security.
MD: There have been some reports recently of intruders being able to gain access to systems on a component level. For example, one report indicated that some hackers are able to access a system and gain control of individual devices such as microcontrollers (MCUs), and programmable logic devices and alter the way each operates. They can also change or replace firmware. To do this seems to require advanced engineering skills and knowledge. Is this possible and, if so, where is the inherent system weakness: software, hardware, overall design, or all and any combination?
Capt. Chapman: No usable system is completely immune to attack. Given enough time, knowledge and/or money, an attacker will find a way into a system, especially if the attacker has physical access. However, I believe that today's engineers build very good systems that are quite resilient. There are examples of attacks that employ advanced engineering knowledge or programming skills, but the vast majority of successful attacks come by a much simpler vector: a careless human falling victim to a clever e-mail ruse and divulging sensitive information.
At the scale that some of these attacks are occurring, it's a matter of economics for an attacker. In an attempt to gain unauthorized access to a system, why aim for a hardened target that will require advanced levels of engineering or programming knowledge when a well-crafted phishing email to a gullible employee will suffice?
MD: Recently, there has been a good deal of concern surrounding the use of open-source software. More aptly put, the concern revolves around the plagiarism of open-source code by designers facing very tight time-to-market schedules for their products. Rather than invest the time and money to create proprietary code, some designers lift some open-source code, change a few headers, and sign off on it. For devices of little import (toys and standalone novelties) that do not interface with other devices via the web or otherwise, this may not be a big deal beyond the ethical issue of plagiarism. However, in light of more devices on every level becoming part of the Internet of Things (IoT), open-source software opens a veritable playground free of restrictions for hackers. What is your view on this practice? What can be done to limit this practice and to encourage manufacturers to invest in safer code?
Capt. Chapman: The challenge with IoT devices is that, in many cases, the product is brought to market by vendors who either lack the awareness of security issues with their products or do not appropriately prioritize security in their feature set. For many manufacturers, they take what they believe to be a more cost-effective route by building in functionality and leaving security for later.
The issue is that many of the protocols used in these connected systems were developed without consideration of security. Telnet, for example, was designed for system administrators to monitor remote systems. Security was not a priority since so few organizations had computers capable of interacting on a common network, but as computer networks grew and became public, security researchers started to notice abuses over the networks. Telnet, having no default encryption or authentication mechanism, had become a favorite of malicious hackers. To this day, although its weaknesses are currently well-known, Telnet is still enabled on many devices for either legacy support or cost-effectiveness. We can encourage manufacturers to make better choices by choosing devices and components that are compliant with modern standards for security.
MD: Is there a difference in the methods of securing individual components – single-board computers, kiosks, semiconductor devices, firmware, etc. – as opposed to the software that controls the application and/or system? What are the concerns surrounding operating systems, like which ones are more secure as opposed to being user friendly yet vulnerable?
Capt. Chapman: It all depends on the application. Standards exist partly for costs reasons. Rewriting your own custom protocols or operating systems are cost and time prohibitive, but there has been a lot of work done by the community to ensure an acceptable level of security for many uses. If I'm looking to build an environmental sensor for my dog's kennel using a Raspberry Pi, for example, then I think it's appropriate to use the standard Debian distribution to run my tasks. However, I wouldn't use a similar setup as my industrial controller in say, a deployed military environment.
MD: There is a consensus that soon there be over one trillion sensors tapped into the Internet monitoring everything from a baby's pulse rate to who might be sneaking up to some establishment with evil intent. Aside from a lack of privacy and as much as such an all-encompassing system may offer a level of security, the opportunities for theft and terrorism will probably be limitless. What are your thoughts on the "trillion-sensor world" and what can individuals and organizations do to shield themselves from threats?
Capt. Chapman: For the IoT, the consequences of compromised networks are more tangible and immediate due to the scale and connectivity to the physical world. As attackers find ways to compromise these connected devices, vendors often scramble to issue patches to safeguard their customers from hacking. Often relying on their customers to be more savvy than they actually are, manufacturers effectively pass the responsibility for protection to the user. This model, however, will not hold up: security must be built into products from the ground up. In addition to reacting to threats that have the potential to expose our personal data, we should also be prepared to mitigate threats that might modify traffic signals, disrupt power to our schools or disable alarm systems. This isn't science fiction - there are more and more examples every day of what goes wrong with our cyber-physical systems.
MD: According to a Dept. of Homeland Security report, "Seven Strategies to Defend ICSs," issued in December 2015 by the National Cybersecurity and Communications Integration Center (NCCIC), in Fiscal Year 2015, 295 incidents were reported to the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), and many more went unreported or undetected. The department recommends seven strategies that would have addressed all the breaches and would have protected the safety and reliability of the affected industrial operations. Three out of the seven strategies recommend using hardware-enforced unidirectional communications. What are your thoughts on this approach?
Capt. Chapman: As mentioned before, there is no perfect system, but the suggestions proposed by the strategy document are great.
In part two of this article we'll get some insight from IPSO on the same questions. Until then, don't open any mysterious e-mails. ~MD
About the Author
Captain Chapman is a member of the Army Element of the Defense Innovation Unit Experimental (DIUx) in Silicon Valley, CA. He was previously a researcher at the Army Cyber Institute and Instructor in the Department of Electrical Engineering and Computer Science at the United States Military Academy. Currently an officer in the U.S. Army's Cyber Warfare branch, he has prior experience as a cryptanalyst and network engineer. In addition to having several industry certifications, he also holds a BS from West Point and MS from Carnegie Mellon University, both in the fields of information technology and security.
Captain Chapman has also been recognized for his expertise in the areas of rapid fabrication, innovation, and security, earning him invitations to speak at the National Maker Faire, Shmoocon, Cyber Talks, MakerCon, World Maker Faire, The Future of War Conference, and AUSA. For more information, visit his personal website at http://www.brentmorelabs.com.
Related Stories
DigiCert CertCentral Wins Top Award for Best IoT Security Solution
New IoT Platform Structure Launches with Overwhelming Response