10/10/18

Introduction to Internet of Things (IoT)

Information security, often referred to as InfoSec, is a set of strategies to protect sensitive business information from unauthorised use, modification, disruption, destruction, recording or inspection. InfoSec does not only protect information in transit but also at rest in storage.

InfoSec programs are built around the core objectives of the CIA triad and its primary focus is on sustaining the balance between Confidentiality, Integrity and Availability of business data. This triad ensures that sensitive information is only disclosed to authorized parties (confidentiality), prevent unauthorized modification of data (integrity) and guarantee the data can be accessed by authorized parties when requested (availability).

Is there any difference between cyber security and information security?

Yes! They are both different. Although they are used interchangeably and they both deal with security and protection of information from breaches (information being stolen) and threats but cyber security deals with protecting data in cyber space whereas information security protects data in general.

As it is well known:

“Physical data is often easier to protect in locked filing cabinets, but electronic data requires greater protection”

The field is of growing importance due to increasing dependency on computer systems, the Internet and wireless networks such as Bluetooth and Wi-Fi, and due to the growth of “smart” devices, including smartphones, televisions and the various other small devices that constitute the Internet of Things.

What exactly is Internet of Things?

Internet of Things (IoT) basically includes anything and everything connected to the internet or to each other. These things are always connected, communicate with each other, swapping data with devices and finally uploading it all to the cloud based server. With an increasing pressure in terms of competition to deliver better and fast services, there is a need for the data to travel from any device in the world to provide more perception and control over the elements in our connected lives.

Doesn’t it make one’s life easy? What can one do using a normal alarm clock apart from setting alarm? Snooze time, set multiple alarms etc. With IoT based alarm clocks, if a user sets alarm at 8 am to go to work, this alarm would fetch real time weather and traffic data in order to calculate time required to commute to work and automatically ring some time prior to what is set to compensate for the time delay. The benefits of IoT include efficient resource utilization, reduced human efforts, reduced costs and increasing productivity, real-time marketing, decision analytics, better customer experiences, high-quality data, to name a few. But nothing comes easy! Along with all the comfort it provides, we all should not ignore the risks it brings with it.

IoT security testing is considered less complex and has not been given importance that it deserves, considering it has no human intervention there will be no human error. Human error is the major cause of security breaches, for example a user clicking on a malicious link in an email or is lured into sending their personal details. All this needs human intervention. Therefore, in IoT environment, as there is no one to lure and hence less security challenges or breaches. This supposition is totally deceptive. According to recent research on IoT breaches, it was found that 84% of companies have already experienced some sort of IoT breach in a study involving over 3,000 companies across 20 countries. In fact, in an IoT environment, intruders have more opportunities to breach as its architecture comprises a number of elements that become potential hacker’s targets.

How IoT Evolved?

Chart: Number of IoT connected devices worldwide

IoT is one of the trending topics in the field of Information Technology but let’s also have a quick review of its background and existence.

The term IoT was first coined by Kevin Ashton in 1999 and since then it has come a long way.

A few decades ago people were connected to the outside world in a very limited way which included radios and televisions. Besides, it provided one-way communication experience i.e. one couldn’t talk, interact with it. This slowly changed with the arrival of home computers like the one made by Atari and Commodore in the 1980s and later by the IBM PC. Now users could connect to the outside world but connectivity was still in its infancy. But assisted by Moore’s Law, technology become available, compact and more affordable every year. This is when security and privacy issues made their way into the user’s consciousness. By late 1990s much had changed, people started using mobiles phones over landlines resulting in more and more compact devices every passing year. The market for online commerce boomed as most people were now connected to the internet. By middle of the 20th century, there were rapid changes and advancement in technology.  For instance, the only security concerns of having a watch was it could be physically stolen but nowadays it is about if the watch is disclosing personal information that could enable identity theft or fraud.

The reason IoT is trending is because various IoT products have gained popularity in the market; including smart refrigerators, home thermostats and door locks controlled by smartphones. Let’s take an example of a smart home, a smart home is full of products that understand your preferences, foresee your everyday needs so that you spend less time managing or supervising your house and more time living in it.

What are the security challenges in IoT?

IoT is already trending all over the Information Technology Domain. With this popularity it becomes harder to secure IoT System. There are many vectors a developer has to focus on in order to secure the IoT environment such as:

1.Default credentials & Configuration
2.Ensure high availability
3.Secure web, mobile, and cloud applications
4.Secure communication
5.Authorize and authenticate devices
6.Security Patches
7.Detect vulnerabilities and incidents
8.Manage vulnerabilities

IoT Security is being taken even more seriously due to the past Cryto Mining and DDoS attacks like Mirai Botnet, Stuxnet, Cold in Finland, Brickerbot, Botnet Barrage, etc

Mirai Botnet:
Mirai (Japanese for “the future”) is a self-propagating botnet virus which infects poorly protected Internet connected devices by using telnet service to find devices using factory default username and password. The effectiveness of Mirai is due to its ability to reach other insecure devices and co-ordinate with them to perform DDoS attack against the target. Mirai was used, along with BASHLITE, in the DDoS attack on 20 September 2016 on the “Krebs on Security” site which reached 620 Gbit/s. “Ars Technica” also reported a 1 Tbit/s attack on French web host.

How to address security issues in IoT environment?

IoT Penetration testing is not widely followed because IoT development itself is not yet entirely evolved. In the field of IT many organizations from small-scale to large-scale MNCs are developing IoT related products without expertise and security awareness.

IoT Pentesting should be conducted on all products in UAT environment before deploying it in production. Upon mapping the attacking surface of IoT, we can categorize it as follows:

Hardware Hacking

Hardware hacking consists of analysing internal architecture of the device including internal components to determine attacking surface, firmware extraction, identification of test points, reconfiguring the device’s hardware to bypass authentication and intercept traffic.

Network Testing

Network testing consists of identifying security flaws in the services running on a network or in a cloud server. An attacker can gain access to sensitive information and with readily available exploits, she/he can successfully compromise servers and further compromising entire IoT infrastructure.

Software Hacking

Software hacking consists of penetration testing of Web Application and Mobile Application.

Communication Protocol

IoT devices often use non-standard communication protocols (MQTT, CoAP) and radio waves (BLE, Zigbee) which can be tested for cryptographic security, ability to sniff traffic and modify it from an attacker’s perspective.

What are the common security concerns missed out by developers?

With the growth of new and advanced frameworks for IoT development, developers don’t really need to think about configurations of servers, devices, encryption,etc which makes it efficient and faster to develop an IoT product within given limited time frame. With all these advantages come few of the security flaws which every developer needs to keep in mind before deploying an IoT product. Most common security mistakes which developers make while developing IoT products are:

Default Credentials

Most of the IoT devices in use have default credentials enabled which can be easily found in the documentation section of the corresponding product.

Storing Sensitive Data

Most of the developers might store sensitive data like API Keys, Encryption Keys, FTP Credentials on the devices. (i.e. in mobile devices via Mobile application or IoT devices via firmware.)

Debugging Services Not Disabled

On hardware level, developers often debug the hardware in order to find any flaws so as to minimize it. Usually it is conducted with the help of debugging pins like UART, JTAG, Serial, USB, SWD which are not disabled after the deployment of the devices in an IoT infrastructure. Using these debugging ports an attacker can successfully gain root/shell access to system, dump firmware or flash data from the device and successfully compromise the device.

Missing Patches

Upon deploying devices in an IoT Infrastructure, developers often run the devices with the older firmware and operating system without checking it for software updates and security patches regularly. This might leave a loophole for an attacker to compromise the system.

Services with no Encryption

Often times developers take extra efforts to make the product efficient, which mostly aggrandize the overall user experience. But due to lack of security awareness a developer might disable many crucial security features like Encryption. As IoT devices need to be low power consuming they are configured to use few protocols without encryption which can lead to theft of credentials. For example, Unencrypted MQTT service might lead an attacker to sniff entire traffic transmitted by IoT devices.

What are the best security practices for developers to follow?

Best security practices suggest a developer to avoid exposing any sort of sensitive information on a device, network or application level. It is advised to avoid all common security mistakes to ensure a secure IoT environment.

Here, we are done with the basics of IoT security testing. It basically can be performed by pentester who has proper understanding of IoT architecture and expertise in black box and white box penetration testing.

In further blogs we will discuss all vectors included in IoT Pentesting in detail which would also consist of in-depth impact analysis of most common IoT vulnerabilities. These IoT devices are an integral part of our lives and to secure them you all have got Varutra Consulting to happily assist you.

Author,

Shreeya Patewadiyar

Attack & PenTest Team

Varutra Consulting

10/27/15

External Penetration Testing – Case Study

Penetration Testing

ABSTRACT

External Penetration Testing consists of a reviewing and assessing the vulnerabilities that could be exploited by external users/Hacker without any credentials or without having any access to target system.

The assessment basically plays vital role in ensuring perimeter security, infrastructure security of the organization which may or can leads to the impact of business as Sensitive information present. Also it will ensure about possibilities of external threats/attackers & behavior of them as well, to minimize risk and threat ratio External Network Security Assessment has taken into consideration.

If External Network Security is not taken seriously, will leads to information/data theft which will be damage to the image of the company/organization’s brand and ultimately it will affect whole business of the organization. This will show whether there has been a Return on Investment (ROI) of existing implemented security controls, such as firewalls, intrusion detection and prevention systems, or implemented application defenses.

The role of a pentester is to perform penetration testing of the internet facing network, find vulnerabilities and try to exploit vulnerable systems/network to obtain confidential and sensitive information which can or may compromise the network perimeter and suggest measures to remediate the security issues to secure the network.

Varutra’s penetration testing methodology is in accordance with best standards and follows guidelines from OSSTMM, OSINT, NIST and OWASP. It makes use of our extensive experience in penetration testing and security assessment to discover previously missed vulnerabilities providing an impact level of security assurance.

This is a case study of an external network penetration test that Varutra performed on one of the overeas client organization proving egovernance. Some of the information has been changed or modified to maintain confidentiality.

BACKGROUND

The client network was consisting of various technologies such as firewall, routers, IPS, web servers etc.  The goal was to understand the current level of external risks which may compromise the sensitive data of the customer as well as the organization. Mainly we had to understand about infrastructure of client network & based on it we started the Penetration Testing. Client commissioned Varutra to carry out an external penetration testing and supplied Varutra with the external IP address ranges to be tested. No other information given such as live IP addresses, name, type, nature of systems along with the underlined services running on them.

APPROACH AND METHODOLOGY

Varutra consultants then proceeded with the following stages of the penetration test:

Information gathering (Active & Passive)

– Attacking on DNS

– Discovering Firewall & IPS

– Scanning for External IP’s and associated systems, services.

Attacking WordPress application

Attacking Joomla application

Attacking Web Servers

– Attacking Web Applications

– User Account Bruteforcing

Attacking Network Layer

– Attacking Web Servers

– Attacking Email Server

– Firewall Evasion

Producing a detailed report of issues and recommendations with proof of concepts screenshots

Varutra has followed scenario based assessment approach for the Penetration Testing Phases.

During an External Penetration Test, Varutra can take the perspective of a known or unknown external threat to the organization. Varutra has started footprinting of the organization using Open Source Intelligence (OSINT), Domain Name System (DNS) reconnaissance, NSLookup and other techniques to identify all information that belongs to the client’s network & infrastructure. Varutra started identifying and discovering ports with respect to its services on each workstation and identified vulnerabilities associated with them.

During the attack phase, Varutra attempts to find all possible ways which can breach client’s network using the combinations of tools and techniques employed by hackers in real world attacks. Mainly targets includes web applications/web servers, email system, firewalls and personal information through techniques of Social Engineering attacks.

 External Penetration Testing Methodology

Figure: External Penetration Testing Methodology

 

KEY FINDINGS/OBSERVATIONS

Varutra identified and analysed network perimeter based on the scanning techniques and responses getting from the target. Identified firewall IP which was giving wrong information regarding ports i.e. firewall was misconfigured showing closed ports as well. While doing web server assessment we came across web-server running with outdated version of Apache which leads us conducting Denial of Service attack on the web-server. The attack was successfully achieved. On the web application layer Varutra found multiple critical vulnerabilities such as SQL Injection, XSS, HTML Injection, and Improper Session Management as well as some low and informational level vulnerabilities. This all assessment done with the automated testing using commercial and open source tools as well as extensive manual testing for verification and validation. This was the most important phase of a penetration test because it effectively demonstrates the impact of breach for the concern organization. Main targets in this phase were security credentials and other personal information, web-server/website credentials and sensitive proprietary information of organization (such as source code, or internal methodologies and formulas).

In the final deliverable, Varutra has provided in detailed information for each and every vulnerability which was discovered and exploited, including suggested recommendation or mitigation steps. Finally, Varutra has provided a detailed step-by-step impact of the breach to target organization which explains how several low severe vulnerabilities also can be linked together to achieve a complete and successful compromise.

 

KEY HIGHLIGHTS

Varutra consultants completed Penetration Testing process with scenario based. Main key highlights of the testing are listed below:

1. Initial scoping of the network was conducted to map and identify the current network, sensitive assets, entry points, existing security mechanisms etc.

2. Conducted penetration testing on the target network devices and systems.

3. Exploit tests carried out, such as mail spoofing and DNS zone transfer.

4. Consultants leveraged on the known vulnerabilities to further penetrate the network and identify the impact of the vulnerabilities if getting exploited.

5. Technical, in depth list of issues listed and recommendations on reducing the risk starting with the most critical.

 

DELIVERABLES

The reports and remediation information provided by Varutra were customized to match the Client’s operational environment and requirement. The following reports were submitted to the client:

1. Executive Report: Overview of the entire engagement, the vulnerabilities statistics and the roadmap for the recommendations made to mitigate the threats identified.

2. Technical Report: Comprehensive information, proof of concept examples and detailed exploitation instructions of all the threats/vulnerabilities identified and remediation for the same.

3. Mitigation Tracker: Simple and comprehensive vulnerability tracker aimed at helping the IT asset owner/administrator to keep track of the vulnerabilities, remediation status, action items, etc.

 

BENEFITS

Our Penetration Test helped the client to identify the potential threats / vulnerability that could have compromised their network and its components. We also assisted them in assessing percentage of potential business and operational impacts of successful attacks/exploitation.

Additionally, the client gained the following benefits:

* Risk Benefits: Varutra minimized security risks by assessing and analysing the client’s infrastructure vulnerabilities and recommended solutions and remediation with proven methods to enhance security of organization.

* Cost Savings: Varutra suggested cost-effective risk-mitigation measures based on the client’s business requirements that would ensure security and continuity of the business.

* Customer Satisfaction: Penetration testing was conducted with minimum interruption and damage across client systems/workstations to identify security vulnerabilities, their impacts and potential risks.

* Compliance: As an added bonus, the client was able to utilize the information gained from this Penetration Test to easily gain industry certifications and provide a higher level of service to its customers.

 

REFERENCES

https://www.dionach.com/library/network-penetration-test-case-study

http://www.testlab.com.au/images/pentest.png

 

AUTHOR:

Omkar Joshi & Chetan Gulhane

Security Consultant, Varutra Consulting Pvt. Ltd.