Attending Black Hat 2018 was a bit like listening to pharmaceutical commercials. Ask your doctor about… wait, I might have that? I didn’t even know such a disease existed. But, I might have it. Better check to be sure.
This was the vibe at the presentation “Attack Surfaces You Didn’t Know You Had,” delivered by the very well-prepared Christopher W. Day. Day serves as Chief Cybersecurity Officer and GM at Cyxtera Technologies, a provider of secure infrastructure. He spends his days working with enterprise clients, helping them identify and remediate extensive cyberattack surfaces.
The talk emphasized several points about awareness of attack surfaces. First, you can’t protect what you can’t see. He stressed the importance of inventorying infrastructure to gain a complete picture of all exposed points of vulnerability. Most importantly, though, he wanted the audience to focus on unexpected connections to corporate networks. There are many, in his experience.
In Day’s view, standard PEN tests are deficient because attacks are really about leveraging individual nodes. “An attack surface is a dynamic thing,” he said. “The world is perimeterless. The device itself is the perimeter.” Each node of an environment is an attack surface, whether we like it or not.
A home network, for example, has exposure from phones, routers, laptops, cameras, NEST thermostats and more. “What can talk to what?” That’s a fundamental question. And, as he shared, you’d be surprised by the answer. Many seemingly harmless devices offer rich attack surfaces.
Day also cautioned against relying on the traditional “high value/low value” approach to cyber security. There is no such thing as a low value data asset, in his view. The lowest value device is a high value target if it lets attackers access high value targets. The same device can also be both low and high value. For instance, a mobile device in a BYOD environment might be low value inside the corporate walls but a high value attack surface if it can be hacked at a coffee shop. The best practice is to make a thorough inventory and gain a precise understanding of connections. Then, you can enumerate and classify attacks.
- Attack Surface: BMC – Day explored unexpected vulnerabilities in the Linux baseboard management controller (BMC), a processor that monitors the computer and which is used for out of band control. Attackers can “burrow” through the BMC and achieve backend access to firmware, operating systems and beyond. For example, the iPMI interfaces can be exposed to the Internet. In this open mode, they can be exploited to return passwords.
- Attack Surface: Physical Security Systems – Alarm systems and connected sensors and cameras expose organizations to external attacks. Given how poorly patched these devices may be, if they connect to the corporate network, they present easy attack targets.
- Attack Surface: Software Defined Radio and RF – Software defined radios comprise the communication vehicles for technologies like electronic locks, power meters and more. Designed with the assumption that RF was extremely expensive to imitate, these devices often lack strong security. Now, unfortunately, it’s possible to mimic RF using relatively cheap components. An attacker can mimic a cellular base tower, for example, and get “over the wall” in this way and access your network connected devices.
- Attack Surface: Smart Devices – These are endless, it seems. They include refrigerated, thermostats, iPad-connected coffee makers, smart TVs and so forth. All have (typically) unprotected access points like Bluetooth and Wi-Fi connections. However, they are often connected to the corporate network, which will lead to trouble
What can be done about all of these unexpected attack surfaces? Day recommended processes known as “surface templating” and “surface reduction.” There are new architectures, such as zero trust, which structurally limit access and thus reduce risk from attack surfaces. As he said, “If a device gets popped, it isn’t wildfire.” Rules-based access controls can also help. For example, a BYOD device might only be allowed access to the network during business hours. And, finally, he urged attendees to monitor their out-of-band network carefully.