As expected, ransomware and IoT insecurity made it to the top of the pile
The 'Seven Most Dangerous New Attack Techniques' was one among the most popular sessions at the RSA Security Conference 2017. As expected, ransomware and IoT insecurity made it to the top of the pile. The session was moderated by Alan Paller, Director of Research, SANS Institute, and the three panelists were Ed Skoudis, Head of SANS Pen Testing and Hacker Exploits Immersion Training Programs, Michael Assante, Technical Director for the US National team and Johannes Ullrich, Director of SANS Internet Storm Center - the early warning system for the Internet.
Skoudis highlighted three of the seven new threats:
1. Rampant Ransomware
"We are seeing a huge increase in the number of ransomware attacks and their economic impact on not just individuals, but also enterprises. Today, ransomware is increasingly targeting network file servers, back-ups, and big databases, substantially amplifying its impact on enterprises," said Skoudis.
2. Internet of Things Attacks Evolve
"With large-scale, open-source worms, such as mirai spreading to tens of millions of IoT devices, attackers can leverage these systems to create massive floods to take nearly any organization off the Internet. These widespread IoT attack platforms could be leveraged for attacks other than floods, including stealthy theft of information and password cracking," he noted.
3. Ransomware and IoT Collide
"By combining the ransomware threat with IoT, attackers will be able to have much more impact than through denial of service floods. By encrypting configurations and control infrastructures, attackers could hold thermostats, lighting infrastructures, or even automobiles for ransom," said Skoudis.
Assante, who is also helping Ukraine in the aftermath of the power grid attacks, highlighted the impact of the the industrial controls system attack that compromised information systems of three energy distribution companies in Ukraine and temporarily disrupt electricity supply to the end consumers.
4. Industrial Controls Systems Attacks Turn Off the Power and Disable Recovery and Smooth Operations
"The attacks in 2015 and 2016 causing power outages in Ukraine were planned and highly coordinated. The attackers were successful in hijacking automation systems to cause outages followed by a series of well-sequenced and damaging payloads unleashed on workstations, servers, and embedded devices. The attacks left their targets with little confidence in relying on their remaining automation; forcing them to operate in a degraded manual state," said Assante.
Ullrich, who hosts a daily podcast to 35,000 technical cybersecurity leaders on overnight attacks/developments in cybersecurity, is also the Dean of Research at SANS Technology Institute - SANS' Graduate School. He listed random number generator attacks, vulnerable "nosql" databases and the unprotected, remote web services environment.
5. Weak Random Number Generators
"Creating good random numbers is a challenging problem. Small devices make it difficult to collect enough random events to initialize the algorithms used to create random numbers. Recent research has shown how this can be exploited to break WPA2 encryption," said Ulrich.
Why it matters? Ulrich said that most wireless protocols (not just Wi-Fi), rely on good random numbers to encrypt connections. "Without good random numbers, these connections are not secure."
6. Reliance on Web Services as a Software Component
"The reliance on remote services exposes software to new risks. Services need to be carefully authenticated, and data received needs to be validated. Ad-hoc services are difficult to inventory and security scans must consider that the service will only be started as needed," said Ulrich.
7. Threats Against NoSQL Databases
Security aware developers have, for many years, known about and mitigated threats against traditional SQL databases. They relied on prepared statements and on proper configuration of user accounts. But for newer NoSQL databases like MongoDB or Elastic Search, some of these options don't exist, or new threats must be considered. Ulrich said that the Internet Storm Center DShield sensor network, reports on traffic received by more than one million active IP addresses, observes a continuous stream of scans for vulnerable "nosql" databases. "Several thousand nosql databases have already been compromised or erased. A vulnerable instance of a nosql database will be discovered within hours of being exposed to the Internet."
For a more detailed summary of the RSAC2017 keynote, please click here.