Script for detecting vulnerable TCP/IP stacks released

Just as ICS-CERT published a new advisory detailing four new vulnerabilities in the Treck TCP/IP stack, Forescout released an open-source tool for detecting whether a network device runs one of the four open-source TCP/IP stacks (and their variations) affected by the Amnesia:33 vulnerabilities. New vulnerabilities in the Treck TCP/IP stack Reported by Intel researchers and confirmed by Treck Inc., four newly discovered vulnerabilities affect Treck TCP/IP stack Version 6.0.1.67 and prior: Of those, CVE-2020-25066 is … More

The post Script for detecting vulnerable TCP/IP stacks released appeared first on Help Net Security.

Vulnerable TCP/IP stacks open millions of IoT and OT devices to attack

Forescout researchers have discovered 33 vulnerabilities affecting four open source TCP/IP (communications) stacks used in millions of connected devices worldwide. Collectively dubbed Amnesia:33 because they primarily cause memory corruption, these vulnerabilities may allow attackers to remotely compromise devices, execute malicious code, perform denial-of-service attacks, steal sensitive information or inject malicious DNS records to point a device to an attacker-controlled domain. About the vulnerable TCP/IP stacks The vulnerable open source TCP/IP stacks are PicoTCP, FNET, Nut/Net … More

The post Vulnerable TCP/IP stacks open millions of IoT and OT devices to attack appeared first on Help Net Security.

Pandemic thinking: What if there were a vaccine for OT ransomware?

The year 2020 has been defined globally by the COVID-19 pandemic. One of few silver linings for this difficult set of circumstances is innovation – redesigning normal processes so that life can carry on with some degree of regularity and reliability.

OT ransomware

Pre-COVID, we all took certain risks routinely, and the consequences were minor. Now the consequences are much more serious and we respond to these risks by very carefully deciding how we expose ourselves to the coronavirus. Whether sheltering in place, social distancing, or in full government lock-down, we have all felt the fatigue of being under the siege of an invisible threat.

The good news is there is hope at the end of the tunnel – in a matter of months, medical science will catch up to the threat and normal life will resume.

The cyber pandemic

The pandemic has digital consequences as well, for both enterprise networks and OT networks. Not only has the pandemic brought us more online, and forced us into doing nearly everything remotely, macro trends continue as well.

Computers are getting cheaper and CPUs are more ubiquitous than ever before – which means there are more targets for cyber attacks than ever before. Communications is getting cheaper, faster and more universal, and all this connectivity means steadily-increasing opportunities to attack the steadily-increasing number of targets.

The trend towards remote work is not likely to reverse very much post-pandemic, and the macro trends certainly will not reverse – no amount of social distancing will slow down cyber breaches, targeted attacks or targeted ransomware.

Unfortunately, many conventional IT security defenses that we deploy to protect against these threats are porous and hackable. Firewalls, IDS, security updates, VPNs are all software, with inevitable bugs and security holes, which means that all these defenses can be compromised. This is especially troubling in a world of physical, industrial operations that are increasingly dependent on these software-based protections for safe and reliable operation.

Worse, the industrial equivalent of “lock-down”, which is air-gapping, is folklore of the past; air-gapping defeats modern efficiency initiatives and so is either consciously avoided as a modern security strategy, or is implemented badly, resulting in residual connectivity and associated cyber risks.

To operate efficiently, industrial operations nearly always must share data with enterprise and customer systems, and – just as in a global pandemic – the risks and consequences of such contact through cyber connections must be weighed very carefully.

What if there were a vaccine for cyber?

Every pandemic begs a vaccine. What if there were a vaccine for the cyber pandemic? What if there were a vaccine that could prevent OT attacks and the OT ransomware that has shut down hundreds of industrial sites in 2020? Targeted ransomware is one of today’s biggest and nastiest cyber threats.

These targeted attacks defeat conventional defenses at heavily-defended industrial sites. In a sense this is no surprise – many of today’s targeted ransomware groups use attack tools and techniques that were once the sole province of nation-states. A cyber vaccine is needed, urgently.

Unidirectional Security Gateways

The good news – future-proofing our most important services and industries from the cyber pandemic is not as difficult as a COVID vaccine. Today’s hardware-enforced unidirectional gateways stop targeted ransomware and other targeted, remote-control attacks from reaching into industrial networks.

The physical security embedded in the unidirectional hardware does not protect the information, but rather protects the industrial networks from information, more specifically from attacks that may be embedded in information that enters industrial networks.

And unlike air gaps, unidirectional gateways enable seamless flows of operations information from industrial operations out into the enterprise or even out into the Internet beyond the enterprise.

Unidirectional hardware prevents attacks from entering industrial networks, while unidirectional gateway software makes copies of databases and other servers from industrial networks to external networks.

Enterprise and other users simply access the industrial data in the external replica databases. Unidirectional gateways “vaccinate” industrial networks against online attacks, while providing the kind of seamless access to industrial data that modern, efficient enterprises rely on.

There are indeed lessons from the pandemic that we can apply to our industrial networks. Using only software protections means making difficult risk decisions on a regular basis, just as we do with social distancing and lock-downs.

We all look forward to the day of the COVID19 vaccine, when these difficult decisions and risks will disappear. The good news on the cyber side is that the vaccine for OT networks is already available, in the form of Waterfall’s Unidirectional Security Gateways.

Healthcare network security is slowly improving

Healthcare delivery organizations (HDOs) have been busy increasing their network and systems security in the last year, though there is still much room for improvement, according to Forescout researchers.

healthcare network security

This is the good news: the percentage of devices running Windows unsupported operating systems fell from 71% in 2019 to 32% in 2020 and there have been improvements when it comes to timely patching and network segmentation.

The bad news? Some network segmentation issues still crop up and HDOs still use insecure protocols for both medical and non-medical network communications, as well as for external communications.

The findings

Based on two data sources – an analysis of network traffic from five large hospitals and clinics and the Forescout Device Cloud (containing data for some 3.3 million devices in hundreds of healthcare networks) – the researchers found that, between April 2019 and April 2020:

  • The percentage of devices running versions of Windows OS that will be supported for more than a year jumped from 29% to 68% and the percentage of devices running Windows OS versions supported via ESU fell from 71% to 32%. Unfortunately, the percentage of devices running Windows OSes like Windows XP and Windows Server 2003 remained constant (though small)
  • There was a decided increase in network segmentation

healthcare network security

Unfortunately, most network segments (VLANs) still have a mix of healthcare devices and IT devices or healthcare equipment, personal, and OT devices, or mix sensitive and vulnerable devices.

As far as communication protocols are concerned, they found that:

  • 4 out of the 5 HDOs were communicating between public and private IP addresses using a medical protocol, HL7, that transports medical information in clear text
  • 2 out of the 5 HDOs allowed medical devices to communicate over IT protocols with external servers reachable from outside the HDO’s perimeter
  • All HDOs used obsolete versions of communication protocols, internally and externally (e.g., SSLv3, TLSv1.0, and TLSv1.1, SNMP v1 and 2, NTP v1 and 2, Telnet)
  • Many of the medical and proprietary protocols used by medical equipment lack encryption and authentication, or don’t enforce its usage (e.g., HL7, DICOM, POCT01, LIS02). OT and IoT devices in use also have a similar problem

That’s all a big deal, because attacks exploiting these security vulnerabilities could do a lot of damage, including stealing patients’ information, altering it, disrupting the normal behavior of medical devices, disrupting the normal functioning of the entire organization (e.g., via a ransomware attack), etc.

Defense strategies for better healthcare network security

The researchers advised HDOs’ cyber defenders to:

  • Find a way to “see” all the devices on the network, whether they comply with company policies, and detect malicious network behavior they may exhibit
  • Identify and remediate weak and default passwords
  • Map the network flow of existing communications to help identify unintended external communications, prevent medical data from being exposed publicly, and to detect the use of insecure protocols
  • Improve segmentation of devices (e.g., isolate fragile legacy applications and operating systems, segment groups of devices according to their purpose, etc.)

“Whenever possible, switch to using encrypted versions of protocols and eliminate the usage of insecure, clear-text protocols such as Telnet. When this is not possible, use segmentation for zoning and risk mitigation,” they noted.

They also warned about the danger of over-segmentation.

“Segmentation requires well-defined trust zones based on device identity, risk profiles and compliance requirements for it to be effective in reducing the attack surface and minimizing blast radius. Over-segmentation with poorly defined zones simply increases complexity without tangible security benefits,” they concluded.