Author:

Profile picture of Amanda.Levin@helpsystems.com

Posts by [email protected]

IoT Device Testing Made Possible With BeStorm X

 

This article was originally published on TechTarget on April 22, 2019.

In an international collaboration, U.S.-based Beyond Security and Japan-based Ubiquitous AI Corporation developed and launched BeStorm X, a vulnerability verification tool designed specifically to test IoT devices. The vendors claim the tool is an amalgamation of Beyond Security’s BeStorm version 7.6.8 and UAC’s IoT technologies.

The vendors claim that BeStorm X can perform IoT device testing for both known and unknown vulnerabilities. It’s a black-box fuzzer that tests IoT software for susceptibilities such as missing patches in the underlying operating system, bad configuration, as well as other weaknesses, including those in custom protocols.

Fuzzing is an automated tool-based software testing technique that intentionally inputs invalid or random data into a system and, when the system is unable to verify the data, exposes and locates bugs or leaks. The vendors claim BeStorm X will detect zero-day vulnerabilities, default passwords, bad encryption settings and other issues.

BeStorm X is geared toward IoT vendors, certification testers, and even commercial end users. End-user pricing starts at $9,500 and goes up according to number of seats and protocols that need to be tested.

Beyond Security, in addition to BeStorm X and BeStorm, offers vulnerability assessment and management tools (BeSecure) and PCI ASV services. UAC, born from a merger of Ubiquitous Corporation and A.I. Corporation in July 2018, touts lightweight security, networking, wireless and OS products.

How Black Box Fuzzers Protect Against the Unknown

See how black box fuzzing tools like beSTORM can protect against known AND unknown vulnerabilities. Get the guide, How Black Box Fuzzers Protect Against The Unknown to learn more.

Get The Guide


BeSECURE: Network Scanning for Complicated, Growing or Distributed Networks

 

Upgrade Your Network Scanner

Free scanners are great – up to a point. That point is when your network reaches a critical size, your assets have acquired a critical value or your company, industry (or Uncle Sam) has set new compliance requirements that those freebee tools just can’t handle.

beSECURE, the Automated Vulnerability Detection System, is a step up into the corporate vulnerability assessment and management arena, but with the simplicity you used to get with your favorite freeware scanner.

Running multiple network scanning tools is a pain

Everyone has a half dozen network scanners sitting around and if your network is small and you have time to configure and run multiple tools and then compare often contradictory results, great. If you have a somewhat complicated network and need mission critical reporting that is accurate and easy to produce, then now is the time to find out more about beSECURE.

When a network scan is just not enough

The environment our networks live in is getting way too ‘interesting’. On top of having many things you want to do, compliance requirements are coming to your network soon (if you aren’t already coping with them). You need a single, solid, common sense solution to find and handle the really nasty vulnerabilities when they happen.

A network scanner with PCI compliance included

Got credit card data? Every installed beSECURE system comes with PCI compliance reporting at no extra cost. Beyond Security is a PCI Approved Scanning Vendor and beSECURE is the tool we use to produce compliance reports. So run beSECURE to do your routine scanning, keep a clean network and breeze through PCI compliance requirements.

Get a 5-Minute BeSECURE VM Guided Tour

Take a quick, step-by-step tour and see how vulnerability management can work for you.

TAKE THE TOUR

Port Scanning Tools VS Vulnerability Assessment Tools

 

Port scanning tools – just the first step to network security

Your port scanning tools are nice, but…

When your network reaches a critical size, your assets have acquired a critical value or when new compliance standards hit, your port scanning tools may have reached their limit. It’s the job of vulnerability assessment and management tools to combine port scanning with the investigation of everything that is running on the server to discover the weaknesses that hackers and bots alike are looking for.

Running multiple port scanning tools is a pain

Admins often have half a dozen scanners sitting around and one or two favorites. On small networks there is time to run several tools and then compare the results. Somewhat complicated networks or networks that manage confidential data need reporting that is accurate, easy to generate and that delivers prioritized vulnerability reports. It may be time to move to a single VA tool.

When a basic port scan is just not enough

Our networked world is getting way too ‘interesting’. On top of your routine demands, compliance requirements are coming to your network soon (if you aren’t already coping with them). You need a single, solid, common sense scanning solution to find and handle the really nasty vulnerabilities that must be resolved to be in compliance.

Does your port scanning tool come with PCI compliance?

Got credit card data on your website and network? Our Vulnerability Assessment tool, beSECURE, comes with PCI compliance reporting at no extra cost. Beyond Security is a PCI Approved Scanning Vendor and beSECURE is the tool we use to produce compliance reports. So run beSECURE to do your routine port scanning, keep a clean network and breeze through PCI compliance requirements.

Vulnerability Management, SAST, and DAST Solutions

Get a demo and see how vulnerability management, SAST, and DAST are the beginning of a strong, layered offensive security solution.

Request A Demo

The Solution to IP Scanning Headaches

 

IP scanning for growing or distributed networks

Your IP Scanner more problem than help?

When your network reaches a critical size, your assets have acquired a critical value or you have new compliance requirements – your freebee IP scanner just can’t handle it. beSECURE, the automated vulnerability detection system, can. It your best step up into the corporate vulnerability assessment and management arena, but with the simplicity you expect of your favorite IP scanner.

Running multiple IP scanners is a pain

Everyone has a half dozen IP scanners sitting around and if your network is small and you have time to configure and run multiple tools and then compare often contradictory results, knock yourself out. Got a somewhat complicated network and need mission critical reporting that is accurate and easy to generate? Time to find out more about beSECURE.

When basic IP scanning is just not enough

The compliance environment is getting way too ‘interesting’. On top of the many things you want to work on, compliance requirements are coming to your network soon (if you aren’t already coping with them). You need a single, solid, common sense solution to find and handle the really nasty vulnerabilities when they happen.

An IP scanner with PCI Compliance Included

Got credit card data? Every installed beSECURE system comes with PCI compliance reporting at no extra cost. Beyond Security is a PCI Approved Scanning Vendor and beSECURE is the tool we use to produce compliance reports. So run beSECURE to do your routine IP scanning, keep a clean network and breeze through PCI compliance requirements.

For more Information, call, email or use the form on this page.

BeSECURE: Designed for MSPs to Scan Hundreds of Businesses

 

Security services for the Managed Service Provider

Get started with our hosted service and pay as you go just for the scans you initiate on external IPs and web sites. Later, add a network IP scanning service and install Local Scanning Servers into networks to do internal network scanning.

Whether in a security operating center (SOC), an ASP farm, collocation or as an outsourced service, the beSECURE MSP solution can become a part of your service offering quickly.

About Our Vulnerability Scanner: beSECURE

BeSECURE locates and reports on security breaches and vulnerabilities and lists their exact location and description along with recommended solutions. Scan with the widest range of security tests available today.

Robust reporting capabilities

Differential Reporting is a key security management tool in monitoring and assessing changes in network vulnerabilities and policies, on an ongoing basis.
The differential report details 3 different levels:

  • A graphic report identifying trends in the management of security vulnerabilities and fixes
  • A report representing problems by age analysis, and categorizing problems into high, medium and low risk.
  • A technical report specifying the security holes that were revealed, their severity (identified by high, medium and low risk), their location and effect and how to repair them. In addition, the report can show the complete list of security tests that were performed. This can be in a single report, in 3 different reports or any other combination.

Solutions for any requirements

You have a choice; Use our hosted, pay as you go service or get an our appliance-based system. 

Get a 5-Minute Guided Tour

Take a quick, step-by-step vulnerability management tour and see how VM can work for you.

TAKE THE TOUR

Upgrade your service offering

Up until now the approach that most solution providers have adopted to secure their client’s resources and web sites has been to batch-test for known vulnerabilities on an ad-hoc basis. In other words, a specialist will handle each IP individually, and test areas that he knows to be specific to that IP only. A typical problem associated with this kind of approach is unproductive time management. A specialist either spends too much time on this function, leaving other critical IT areas unmanaged, or spends not enough time, thus neglecting this function.

Our solution allows the specialist to automatically scan for the whole range of options on every IP, giving him complete data on any IP, at any time. The key differentiation is that the specialist now has far more information about his hosts at any specific time, allowing him to better manage his security function.

Another problem facing many solution providers is that the specialist has to ensure that his testing methods are constantly updated – a task that is virtually impossible to manage on an on-going basis. beSECURE is updated transparently and in real-time, allowing the specialist the confidence that reports received are always up-to-date. We are able to do this through our R&D team, which is recognized as one of the best in the world of security today.

Demo Vulnerability Management, SAST, and DAST

Schedule a demo to see which cybersecurity solution is a necessity for your company and how you can create a layered security portfolio.

Get a demo

Network Security and the Fourth Pillar

 

The three crumbling pillars of network security

Why is network security getting harder?

Access control, firewall and Intrusion Prevention Systems are failing to keep attackers from reaching vulnerable systems and network administrators have added as many layers beyond those as possible to no avail. This is a problem because successful attacks are often done with these solutions in place and being run well by capable people. It doesn’t take an analyst to tell you that something about these common perimeter guards isn’t getting the job done.

How hackers bypass network security

In all successful attacks hackers bypass the network security perimeter to exploit existing vulnerabilities inside the network. The fact that all hackers consider breaking the perimeter to be job #1 and that most refer to it as being a trivial achievement should be a wake up call to admins who think perimeter solutions are enough to maintain network security.

In fact, all the successful attacks you are reading about in the press are on networks whose admins (or large security teams) were doing their best to maintain a perimeter! This includes the recent break-ins at Fortune 500 companies and government departments that have large network security staffs and deep pockets. Apparently something about the focus on perimeter defense is not working. Yes, the well tended perimeter stops a great number of attacks but the fact is, they don’t stop them all.

Setting aside political or financial high value targets that get targeted because they stand out, most attacks are done as a ‘drive by’. Attackers rarely choose a target first and then spend time looking for a weakness in its network security. It is far easier to study up on a well known vulnerability, scan broadly for ANY network that has this weakness and then exploit it wherever found to gain access. From that beachhead hackers expand their control through the network and then look for the most valuable data they can steal or lock up and ransom.

Therefore, in order to better secure any network, these well known vulnerabilities must be found and fixed regardless of ANY set of perimeter defense solutions being in place. Vulnerability Assessment and Management (VAM) is the solution that achieves this goal.

Are security teams pressured to ignore vulnerabilities?

Technical, organizational, financial and cultural forces in network security have combined to push known vulnerabilities, the single most important factor regarding network security into the background.

  • Technical: Vendors of network equipment and applications are under heavy pressure to release new products and versions – but little pressure to test them as severely as hackers will after their release. Thus the vendor of every app and host on the network generates a stream of updates to patch security issues. Even a modest size network has hundreds of applications and has (or should have) thousands of patches. The challenge: Each patch has the potential for creating issues when installed and must be tested before being rolled out. The result is that only some patches are installed and every network ends up with un-patched, known vulnerabilities. Hopefully none are severe or are on high value assets. In addition are security related configuration issues – another can of worms.
  • Financial: Security is difficult to fund with any convincing proof of a return on the investment. Installing every possible patch into every single host is financially out of the question. The vulnerabilities left un-patched are hard to quantify in how they each contribute to network security and staff is simply not available to track down every missing patch.
  • Organizational: Company executives want to see some evidence that the current security staff is ‘doing something’. Thus you get ‘security theater’. The perimeter solutions are resplendent with data about how many attacks were blocked and the ‘increasing but deflected attacks’ graphs they produce are fine evidence that security is on the job and working hard. On the other hand, reports to execs about finding and fixing serious vulnerabilities can be met with a ‘Well isn’t that your job anyway?’.
  • Cultural: From the very earliest days of networking, network security has been fixed on a perimeter defense strategy. The arrival of smartphones, iPads and the cloud finally marked ‘paid’ to the idea that a perimeter can be held, or that it even exists. But still powerful is the siren song of new security technologies that say they will keep the bad guys away from the known, but unrepaired vulnerabilities they are looking for.

Given these factors, network security through the elimination of vulnerabilities has become just a compliance checkbox instead of being the front line defense strategy that the current state of security indicates it deserves. The truth is that the perimeter today is at each device itself.

VAM: The low man on the network security totem pole

Vulnerability Assessment & Management was the new kid on the network security block over a decade ago. It was a short and not terribly happy childhood. Early tools were complicated, cumbersome and ill suited for rolling into corporate networks. Those admins that did install what was then called just Vulnerability Assessment ran into the kiss of death for any security tool: huge reports filled with inaccurate results describing work to be done for which there were no resources to act.

Accuracy and network security

Accuracy has been the missing ingredient in many network security tools. Ask any admin who has tested several competing solutions side by side on a network. The variation in what each security tool discovers and reports is enough to keep one up at night. This applies to all tool families but particularly to VAM.

Inaccuracy in a firewall, antivirus or IPS is most often invisible. These systems can’t stop what they don’t know about. Yes this is a disaster waiting to happen, but while waiting for that disaster, it bothers no one. On the other hand an inaccurate, long VAM report is really irritating, sending network security staff searching high and low for things that don’t exist. A VAM report that has a couple of errors in the first page is going to get tossed in the bottom drawer.

Most VAM systems sold today are now at 95% accuracy, which is a lot better than the early days. That still means one false positive for every 20 reported issues. And that is still enough to get the monthly VAM report relegated to the shred pile.

Breathing new life into VAM

VAM has grown up and at the same time federal and industrial network security standards are pushing for it as a component of constant monitoring. Our own solution, beSECURE, the Automated Vulnerability Detection System, has become a simple to install, easy to operate, complete tool that incorporates web application scanning and database scanning with the traditional network scanning duties. It assigns asset value and vulnerability severity and so gives admins an accurate idea of what MUST be done, what should be done and what might be done in the future if budget allows. And it does this with accuracy unmatched in the industry.

Accuracy beyond traditional VAM solutions

All but one of the leading Vulnerability Management solutions identify vulnerabilities primarily by checking host banners to read the version number. They then assume that if version X is present, then all the vulnerabilities of version X are also present. This is a false positive if an update was ‘back ported’ (common in Linux) or if server or application settings make access to the vulnerability impossible. Alternatively, a banner can report a version update is in place even if the server did not get rebooted. It is common in even high end VAM solutions to have 3% to 8% false positive results.

beSECURE goes beyond just checking for banners, it uses specially crafted queries and the resulting behavior of network components and web applications as its primary indicator of whether a specific vulnerability exists or not. This means that beSECURE is highly accurate, generating near-zero false positives and finding vulnerabilities that other solutions miss.

beSECURE accuracy means you can be certain that if a report says the network has a high risk on a high value asset, it actually DOES exist. You can also know, without a doubt, that when you are handling the risks discovered by beSECURE you are doing the best job possible to protect your network security.

Not all security issues or network assets are created equal

Management of vulnerabilities is recognizing that not all security issues are of equal severity and that not all network assets are equally valuable. Thus in the real world where IT budgets are never large enough to patch every single weakness, VAM will guide the way to applying whatever resources are available to the most truly serious weaknesses on the network.

beSECURE maps all the network assets (including servers, operating systems, network infrastructure, workstations, applications, phones, printers etc.) and prioritizes them based on their importance/criticality. A web or database server will be regarded as more critical than a printer server. It then examines each item on the network, and lists the vulnerabilities discovered. Each is assigned a severity rating based on an internationally agreed upon set of guidelines (CVE). beSECURE combines the importance level of the asset and the vulnerability risk level to produce an accurate mitigation strategy.

VAM as your next step in network security?

We hope you have already incorporated VAM into your network security strategy. If you are already using a VAM solution please seriously consider extending it to cover your entire network, including test servers, phones, printers, etc. If you don’t have VAM installed on your network, now is the time. If you aren’t happy with your current system or you would like more info on how to deploy one for the first time, we hope that you will drop us a note.

Best Practices for Vulnerability Management and Assessment

Are you getting the most out of your vulnerability management? Get the guide, 7 Best Practices for Vulnerability Assessment & Management and improve your vulnerability management strategy.

Get The Guide

Closing The Door on Network Attacks

 

Network security scanning

Your network is 100 times more likely to be attacked with a known exploit than an unknown one. And the reason behind this is simple: There are so many known exploits and the complexity of networks is so great that the chances are good that one of these known vulnerabilities are present and will allow an attacker access to your data.

The number of networks worldwide is so great and the number of new, as of yet undocumented and thus unknown exploits so small that your chances of being attacked with one is nearly zero – unless you have network assets of truly great value, or you are a particularly interesting target.

If you don’t attract the attention of a dedicated, well financed attack, then your primary concern must be to eliminate your known vulnerabilities so that a quick look would not reveal an easy entry.

Network security defense strategy

There are two roads to accomplish excellent security. On one you would assign all of the resources needed to maintain constant alert to new security issues. You would ensure that all patches and updates are done at once, have all of your existing applications reviewed for correct security, ensure that only security knowledgeable programmers do work on your applications and have their work checked carefully by security professionals. You would also maintain a fiendishly restrictive firewall, antivirus and IPS/IDS.

Your other option: use a security scanning solution to test your existing equipment, applications and web site to see if a KNOWN vulnerability actually exists. While firewalls, antivirus and IPS/IDS are all important, it is simple logic to also fix the very issues that hackers are looking for. It is more effective to repair relatively few actual risks than it is to build higher and higher walls around them. Network vulnerability scanning is the most efficient security investment.

If one had to enough resources to take just one of these roads, diligent wall building or vulnerability management, it has been demonstrated that fixing vulnerabilities instead of building walls around them will produce a higher level of security on a dollar for dollar basis. This is proven by the number of well defended corporate and government networks which get hacked every month.

Network security using a security scanner

Your best defense against a attack on your network is to regularly scan it, fix the high risk vulnerabilities the scan finds.

Beyond Security staff have been accumulating a library of known issues for many years and have compiled what is arguably the world’s most complete database of security vulnerabilities. Each kind of exploit has a known combination of network weaknesses that must be present to be accomplished.

In a matter of hours, a security scanner can run through its entire database of over ten thousand vulnerabilities and can report on which are present and better yet, confirm the thousands that are not. With that data in hand you and your staff can address your actual security vulnerabilities and know that your network is completely free of known issues.

Then security scanning can be run on a regular basis so that your network will be tested against new vulnerabilities as they become known and provide you with solid data as to whether action is vital or low priority. You will also be alerted if new equipment has been added, a new port has been opened that was unexpected, or a new service has been loaded and started that may present an opportunity to break in.

In complex, large systems it may be that weekly scanning is the ONLY way to ensure that none of the many changes made to equipment or applications may have created a weakness that a determined hacker could exploit.

Get The Top 10 Secure Coding Practices to Protect Your Web Applications Guide

The Top 10 Secure Coding Practices to Protect Your Web Applications Guide will help you select and implement the right vulnerability management solution for your company.

Get The Guide

Pen Testing Alternative Improves Security and Reduces Costs

 

Our definition of penetration testing

Pen testing (penetration testing) is the discovery of vulnerable network equipment or applications by evaluating their response (behavior) to specially designed requests. In some cases a payload (message, marker or flag) is delivered to prove beyond a doubt that the vulnerability can be exploited. Pen testing is usually a manual and expensive undertaking that is done infrequently and on selected, high value or highly exposed portions of a network.

Pen testing’s value is that by delivering a payload there is no arguing that the vulnerability exists and that it is serious enough to allow unauthorized access. Pen testing weaknesses are: variable results due to skill of the technician, infrequency, high expense and limited scope of testing.

Pen testing and Vulnerability Assessment

Pen testing and Vulnerability Assessment and Management (VAM) have not crossed paths until recently because in all cases but one, commercial VAM solutions primarily check the ‘banner’ to collect the software version number. This is sometimes called inference-based scanning. Typical VAM vulnerability tests assume that if an old version is discovered, then certain vulnerabilities can be assumed or that if a current version number is reported, then there are no vulnerabilities. There are many reasons that version does not equal vulnerability, thus the low reputation for VAM report accuracy. Only one VAM solution tests behavior and can prove the existence of vulnerabilities, like pen testing.

beSECURE is unique in the VAM field. It was designed from scratch to test the behavior of network equipment and applications rather than just look at a banner and assume on face value that vulnerabilities may exist. beSECURE sends specially designed requests to each host to determine, by response and positive ID that vulnerabilities exist. Behavior-based testing aligns beSECURE with pen testing and produces four important benefits; high accuracy, frequency of testing and currency of results, low cost and complete coverage of everything that ‘speaks IP’.

Why automate pen testing

Although manual pen testing can identify how a combination of medium risk vulnerabilities can result in a high risk situation, it has the following issues:

  • Frequency: Within days of any pen test, any additions or changes to hosts and the network will create new security situations. Additionally, new vulnerabilities are announced weekly and may exist on the network.
  • Accuracy: No two pen test professionals may go about testing the same way, have the same experience or use the same tools. Even if the same pen tester is brought back monthly, new and previously overlooked vulnerabilities may be discovered.
  • Cost: Pen testing is expensive. It takes highly skilled professionals many hours to do more than just scratch the surface.
  • Scope: Due to the above factors pen testing is usually done on a limited set of targets. Pen testing almost never involves testing every server, firewall, router, workstation, printer, IP phone, wireless access point, etc.

Solving the problems of annual pen testing

beSECURE accomplishes the primary activity of pen testing, the identification of weaknesses in production hosts by testing behavior. It solves the four critical failures of manual pen testing:

  • VAM with beSECURE can be done monthly, weekly or even daily on frequently changing services like web servers and web applications. New hosts are immediately detected and tested, changes made to hosts that create weaknesses are promptly discovered and newly announced vulnerabilities are added to the test library daily.
  • beSECURE is designed to be run by any competent network admin. It is highly automated and its ease of use, accuracy of tests and short, to-the-point reports encourage compliance.
  • A typical beSECURE installation can be purchased outright for the cost of one comprehensive penetration test. In future years, a great savings can be experienced.
  • beSECURE is designed to scan entire networks quickly and its licensing model encourages broad use.

Behavior-based testing of network hosts (and in particular web applications) is unique to beSECURE. It’s library of unique and proprietary tests has taken many years to compile and has been honed by constant use on thousands of networks. Accuracy was the goal of this mammoth project and thanks to tens of thousands of hours of development work and then feedback from thousands of customers beSECURE delivers the highest level of accuracy available in VAM. The result; most beSECURE customers never experience a single reporting error.

Manual pen testing is sometimes required by internal policy or for compliance with some external standards. In these cases, beSECURE is the perfect partner. Regular beSECURE scanning and the elimination of all medium and high risk vulnerabilities it discovers will dramatically reduce time needed to do manual penetration testing and so reduce its cost.

Looking for a vulnerability scanner? Contact us to schedule a free demo of our products in action.

Security Testing the Internet of Things: Dynamic testing (Fuzzing) for IoT security

 

What is the Internet of Things (IoT)?

The Internet of Things (IoT) encompasses any and all products that are connected to the internet or to each other. Any product which requires connection to a home, car or office network to deliver its complete set of features falls under this broad term. In fact cars themselves are now a component of the IoT as they now exchange data with the manufacturer routinely if not continuously.

All things IoT, collect data during use and often share that info with their manufacturers without the users being aware that it is being collected. In many cases product functions are dependent upon connection to the internet and may be controlled to a great degree by the manufacturer. This concept of making all components of our increasingly complicated lives communicate with each other, with us, and with internal and external software applications, is what IoT is all about.

Why Do We Need IoT Security?

Manufacturers of every kind of electronic or electrical device are rushing to add features which require connection to the internet. In their rush to market these companies many of which have no prior experience with networked devices are bound to overlook the complications of hardware and software security design and construction in the haste to get the newest, coolest function working at lowest cost.

It is nearly a rule that the makers of products that test these new frontiers will apply the same guidelines to their selection of processing hardware as they do for any other product components they purchase. The oldest chips whose designs were long ago paid off and are now dirt cheap are attractive building blocks for device designs that need only limited capabilities or capacities.

Security Comes Last.

Testing of the software that is written for a household appliance or child’s toy has only one goal – confirm that it works and will be easy to set up (with lots of default selections even passwords). Security is an afterthought at best.

The hardware (chipset) as used in most new products is very old and often has multiple known vulnerabilities. The software that is included with IoT devices and which rarely gets any in-depth security testing almost always has its own set of security issues. The result is that tens of thousands and soon hundreds of millions of appliances, devices and toys being installed into home and business networks are ripe for hacking. And once a vulnerability is discovered in a widely distributed product line there will be thousands or potentially hundreds of thousands of homes and businesses that will be open to having their IoT devices hijacked and potentially opening their entire network to view and attack.

What are the Different IoT Applications?

On the consumer front, IoT is everywhere.

At home 

In the smart home, Internet-connected objects such as televisions, thermostats, lights, door locks and even refrigerators are becoming common. They offer homeowners control of home services and functions without actually being home. Smart refrigerators can monitor the amount of milk left and automatically reorder from a preferred store. Washers and dryer’s ring your phone when they are done.

On person

Health and fitness-oriented wearable devices that offer biometric measurements such as heart rate, perspiration levels, and even complex measurements like oxygen levels in the bloodstream are some of the examples of wearable IoT-connected devices. In medicine, surgically implanted devices report back to the doctor regarding health status and in some cases accept instruction from medical staff to take action. And all of this data goes back to a central database owned by the manufacturer and provides a stream of data that is potentially hackable.

On the move 

Transportation systems and now cars utilize a large number of sensors, often working in combination with GPS to best get from point A to point B in a safe and efficient manner. Beyond that, cars are getting even smarter. On board navigation systems, diagnostic systems that alert you (and the manufacturer) about everything from faulty lights to tire pressure.

IoT for Businesses

  • RFID tags within anti-theft tags that help retailers in monitoring inventory.
  • Driverless trucks operate 24×7, increasing production levels.
  • Critical infrastructure systems such as power generation and delivery systems, water systems, transportation systems are bringing in more IoT devices to improve their accuracy of data and control.
  • Farms use connected sensors to keep a check on crops and herds to optimise distribution of and pesticides, fertilizer and food.
  • IoT-connected devices alert shop floor managers about faulty or malfunctioning equipment.
  • Entire Supply chains that span multiple companies and even continents are integrating their production systems to enable better management of machines and people through monitoring and control of their actions or their locations.

IoT generates and shares loads of data and as such the individual devices are susceptible to malicious attacks, data misuse and forced data breaches thus making a strong case for dynamic testing, code, logic and vulnerability assessment at the product development phase itself.

What are the Most Vulnerable IoT Devices?

According to Gartner, the number of Internet-connected devices is expected to reach 50 billion by 2020. While IoT is going to improve life for many, the number of security risks that consumers and businesses are prone to face will increase exponentially.

Stakeholders in the IoT domain face privacy issues, most of the time being unaware of the situation. As such, IoT devices have come under increasing levels of scrutiny in recent months over poor security controls and numerous vulnerabilities. Some of the common problems which have come up due to the spread of IoT include the following:

Personal Data

IoT users give their approval for collection and storage of data without having adequate information or technical knowledge. Data collected and shared with or lost to third parties will eventually produce a detailed picture of our personal lives that users would never consider sharing with any stranger they met on the street.

Anonymity has been a constant issue in the world of IoT, where IoT platforms barely give any importance to user anonymity in the process of sharing data.

Spying

Cyber attacks are likely to become an increasingly physical (rather than simply virtual) threat. Many Internet-connected appliances, such as cameras, televisions sets, and kitchen appliances are already enabled to spy on people in their own homes. Such devices accumulate a lot of personal data, which gets shared with other devices or are held in databases by organisations, and they are prone to being misused.

Automotive Vulnerabilities

Computer-controlled automobile devices such as horns, brakes, engine, dashboard, and locks are at risk from hackers who may get access to the on-board network and manipulate at will, for fun, mischief or personal gain.

Health-related Data

The concept of layered security and redundancy to manage IoT-related risks is still in a nascent stage. For instance, the readings of smart health devices to monitor a patient’s condition may be altered, which again when connected to another device for prescribing medicines post analysis, will be compromised, and will adversely affect the patient’s diagnosis or treatment.

There is a high probability of failure to get access to a particular website or database when multiple IoT-based devices try connecting to it, resulting in customer dissatisfaction and a drop in revenue.

Static and dynamic testing for IoT-connected devices

As IoT-connected devices become an integral part of our daily lives, it is crucial that these devices undergo thorough testing, and establish minimum baseline for security.

If any testing is done at all, static testing is the most frequently implemented process. But static testing is not intended or designed to find vulnerabilities that exist in the ‘off the shelf’ components such as processors and memory into which the application will be installed.

Dynamic testing, on the other hand, is capable of exposing both code weaknesses and any underlying defects or vulnerabilities introduced by hardware and which may not be visible to static analysis. Also dynamic testing often turns out to be a more pragmatic way of testing the IoT devices and plays a pivotal role in finding out vulnerabilities that are created when new code is used on old processors. As such, manufacturers who purchase hardware and software from others must do dynamic testing to ensure the items are secure.

QA testing for networked hardware and web applications

Developers produce applications that to a greater or lesser degree exchange information by adhering to a protocol as closely as possible. QA then tests application functionality against that protocol in the perfect world of the testing laboratory. Given the numerous ways programmers can make mistakes, looking for security vulnerabilities in a piece of software should be an integral part of the development process. Strangely, that is not always the case as testing the security of a particular product can be an expensive proposition and developers often weigh expense against cost of other factors involved in releasing the product to its customers. Because of this, even software developed in an environment stringently cognizant of security risks is most likely released without full testing.

Naturally when the application is released, hackers will bash away at it with every possible corrupted form of the protocol to create an error in the application. By pushing at the edges of the envelope of the protocol, they may find a way to trip up the application and create a buffer overflow, the most frequently leveraged design error.

How Do Hackers Use Buffer Overflows?

How are hackers finding buffer overflow opportunities missed during development and standard pre-release QA? A wide range of tools have been developed by the hacker community to enable the rank and file to find new exploits. These tools, fuzzers, work by creating and feeding a wide range of unexpected or corrupted inputs looking for a combination that will break the application. The production of these tools has become a small industry of its own. The QA world has attempted to adapt these rough and ready hacker tools into their test processes with some success, but also with many headaches. Most of these hacker-developed fuzzers are focused on a single type of code weakness or just on a single protocol or even on a single application.

In case of IoT-connected devices, it is important for enterprises to identify traffic patterns and differentiate between the legitimate and malicious ones. For instance, an employee may download some apparently genuine app on a smartphone given to him by his employer, without knowing that the app has some malware. In such cases, the organisation must be prepared with the right set of processes to ensure ample security promptly.

Default Credentials in IoT Vulnerability

Most IoT devices come with default credentials when used for the first time, which means known administrator IDs and passwords. Also some devices come with a built-in Web server. This helps admins to log in and manage the device remotely. This massive vulnerability can easily encourage hackers to misuse available confidential data.To avoid any data leakage, enterprises must develop a strict assigning process, where the initial settings of the device can be tested, verified to find out any kind of vulnerabilities that may exist, validated flaws that may have been identified should be closed, and a “good-to-go” certification from the compliance team should be issued before the device is brought to the market.

Even after all the QA testing being done, buffer overflow error tests, protocol breach tests, and black-box testing should be done to further reduce the scope of adding vulnerabilities to the devices.

Translation of Requirements Cause Vulnerabilities

Translation of requirements during application development is the first cause of most programming errors. For instance, during the development of a smart fridge application, a project manager translates the requirements from the desired end to the programming team, which members translate to individual programming assignments. The programmers then translate the assignment into a proper syntax for the programming language written by someone else, which a programming language interpreter translates into the corresponding machine code. All these translations are sources of potential programming errors during the design stage.

Off-by-one errors, programming language use errors, integer overflows are all examples of errors generated by a programmer while translating a concept to a proper algorithm. For example, to hold ‘n’ items that are each ‘m’ bytes long, the programmer may tell the program to allocate n*m bytes. If m*n is larger than the biggest number that can be represented, less memory will be allocated than intended. This may lead to a buffer overflow. In another instance, if a programmer assumes that a variable contains only positive integers, but if the integer in question is actually a signed integer, arithmetic operations can cause an overwrite of the leftmost bit and make the result a negative number, possibly leading to an exploitable behavior.

What is IoT Exploitation?

Not all programming errors are created equally. Some allow attackers to gain something or to get an ability they didn’t already have. They may be able to deny other users’ access to the program by crashing it, or access information they shouldn’t be able to. In some cases, they may be able to cause the program to execute any command they tell it. These errors are vulnerabilities. Other errors, while they may have the same causes, won’t give attackers any access they didn’t already have. So, the first task for a vulnerability researcher is to determine if the programming error is merely a bug or if it can lead to exploitation. If a bug can lead to exploitation, either by itself or when used in concert with other bugs, it is indeed vulnerability.

Buffer overflows and vulnerabilities caused by the application not checking space availability before copying un-trusted data into the pre-allocated space in the system memory, end up overwriting contents of memory outside the buffer. As a result, next time the program looks at that memory space, it sees data from the overflow instead of the original data. If the program tries to use values from that area, it will most likely not see what it expects, the consequences of which can range from a crash of the program to other more potentially dangerous actions like DoS or worse, execution of a new malicious code planted by someone. A stack-based buffer overflow can allow attackers to execute code on the victim’s computer, as it overwrites memory addresses that will be used later, while a “stack overflow” typically results in a DoS, as it tries to write to memory that isn’t available.

Black Box Fuzzers: Security Tools for the Unknown

Black box fuzzing tools like beSTORM protect against unknown vulnerabilities. Get this guide, How Black Box Fuzzers Protect Against The Unknown to learn more.

Get The Guide

Employ Active Network Scanning to Eliminate High Risk Vulnerabilities

 

Keeping up with new vulnerability discoveries

With hundreds of new vulnerabilities announced each month, active network scanning is essential. An automated, frequently used vulnerability assessment and management solution is your best option for the elimination of corporate network vulnerabilities.

Enterprise now needs proactive, routine network scanning to keep up with internal changes and external developments. This may require weekly frequency due to the increasing complexity of vulnerabilities and the speed at which they can now be exploited.

With the increasing complexity of networks, the number of vulnerabilities being discovered daily, the speed at which new exploits are weaponized and the ease of installation of rogue devices, performing vulnerability and network security assessments annually, bi-annually or even quarterly is no longer a viable risk mitigation strategy.

Similarly, the challenge of staying up to date with the current vulnerabilities is now a specialist task. It should now be assigned to a dedicated solution capable of updating automatically for new threats and scanning periodically based on a predefined schedule.

The next level of network scanning

Beyond Security has taken vulnerability scanning to the next level – developing a new way to approach this important task by providing it as an automated scanning solution based on a highly powerful network management tool.

Apply this concept to protecting your home: Many homes have a burglar alarm systems that will provide will report back to a control room when it senses an intrusion. The security company then responds to the threat.

Imagine if the security company was able to send someone over to your house proactively – to physically check your doors and windows, confirm your home is secure and not under any risk of attack – every day. Active network scanning is that frequent check.

Comprehensive network scanning report

Beyond Security’s beSECURE, the Automated Vulnerability Detection System, performs a comprehensive regular vulnerability assessment on the network and produces a detailed report that contains:

  • An Executive Summary of the vulnerabilities found
  • A comprehensive list of all vulnerabilities discovered
  • A range of solutions to those vulnerabilities
  • The list of all simulated attacks performed.

While Intrusion Detection and Prevention Systems still play an important role, doing an active network scan for the latest vulnerabilities every day brings your network protection to a new level.

See How To Protect Your Company Against The Unknown

Securing your company against known vulnerabilities is important, but how can you secure it against the unknown threats? In this guide, How Black Box Fuzzers Protect Against The Unknown learn how to create layered cybersecurity against known and unknown threats.

get The Guide