Blog

With the holiday season in full effect, retailers like Walmart and Amazon are rolling out the Deal of the Day. Well, with these deals, comes a great cost savings, but what we also need to take in to account are the risks of these devices. While it is probably fine (although not encouraged) if they are deployed at home, putting these devices on your organizations corporate network can be far more dangerous.

There has been a recent spike in these types of routers being plugged into corporate networks and most of the time by employees who want to either extend the ethernet ports or have their own private network. With the router acting as a gateway NAT-ing all the devices behind it, this becomes an untracked shadow network. Traditional endpoint detection tools cannot detect these types of devices and the potential dangers.

Take the example of the recent reports of the $30 Wi-Fi routers sold at retailers like Walmart and Amazon. Researchers found that these routers contained hidden backdoors and are being exploited by the Mirai botnet. The routers with the reported security hole are the Jetstream router that can be easily purchased, with no disclaimer. These critical vulnerabilities allow threat actors to remotely control the routers as well as any device connected to that network and monitor all the traffic coming through that router. This constant surveillance on the shadow network can critically endangers the whole network. Additionally, the Wavlink routers contain a script that lists nearby Wi-Fi networks and could connect to those networks with the factory passwords. This can have a cascading effect with the attacker slowly and patiently expanding the blast radius.

Ordr installed these two routers in our lab environment and almost instantly noticed port-443 connection communicating to known Chinese domains.

With Ordr, these devices can be easily identified, classified and added to the “Hi-risk Manufacturers” profile.

The next challenge is to physically locate these devices so that this can be investigated and removed. Ordr provides device location and also physical connectivity information so that this device can be tracked, and the appropriate workflow is supported.

Identifying these rogue devices is important in protecting your network infrastructure. With Ordr’s ability to see all connected devices via DPI and support massive network infrastructures through AI/ML to classify these devices at scale, then automate policy generation, we can help our customers discover, baseline, and secure their environments.

For more information on how Ordr can help you identify and manage vulnerabilities for any connected device, please contact info@ordr.net.

This week SolarWinds announced that they were breached earlier this year and the attackers were able to place malicious code within their build systems for their Orion product. This malicious code was subsequently; compiled, tested, signed, and delivered to SolarWinds customers in March 2020. The last week has been very interesting as a supply chain breach of this magnitude has only been theorized and discussed in security tabletop exercises. After the SolarWinds breach announcement we have been working with several Ordr customers and partners in order to facilitate both detection of malicious activity associated with this breach and for some customers facilitate the detection of these SolarWinds devices on the network so that they could be taken down.

Currently, Ordr has the ability to detect the command and control (C2) servers utilized in the Domain Generation Algorithm (DGA) of this SolarWinds malware through our malicious communication detection service. Ordr monitors all device communications within the network and if we see a connection or DNS lookup to one of the malicious domains associated with this malware (*.avsvmcloud.com – as part of the countermeasures by FireEye: https://github.com/fireeye/red_team_tool_countermeasures) we will alert the Ordr SCE operators.

Additionally, we have deployed several detection signatures to our deep packet inspection (DPI) intrusion detection system (IDS) that looks for both the malicious communications associated with this SolarWinds malware and the lateral movement techniques that FireEye and Microsoft discovered when researching the threat actors utilizing the SolarWinds malware.

Of course, since Ordr has the capability to detect and classify all systems on the network we are able to detect any SolarWinds systems that exist at any time on the network.

SolarWinds has provided a hotfix (2020.2 HF 1) and is providing an additional hotfix (2020.2 HF 2) today to all of their customers. We urge all SolarWinds customers to apply these patches to their systems and to aggressively monitor the SolarWinds servers for any anomalies.

Additionally, we are urging anyone that utilizes SolarWinds Orion to change any authentication credentials that were stored inside the Orion system and to consider all authentication credentials compromised if they were stored inside the Orion system within the last 10 months.

In the Fireside Chat: Addressing IoT Security Risks with Nexteer Automotive webinar, I discussed best practices for organizations building IoT security programs with Ron Temske, VP Security at Logicalis, and Jeff Horne, CISO at Ordr.

Background

The winds of change are blowing through the world of work today. Macro trends such as Industry 4.0 require that companies enact and accelerate their digital transformation. Technologies such as artificial intelligence, blockchain, cloud computing, autonomous vehicles, robotic process automation, edge computing, and the Internet of Things (IoT) are helping foster innovation and competitive advantage.

As companies embrace digital manufacturing to increase efficiency and optimize operating costs, there is an explosion of IoT devices on the plant floor. Further, more and more of our home devices are becoming internet connected. The exponential proliferation of IoT devices and immature security practices make them targets for attack.

Addressing IoT Security Risks

IoT devices play critical roles across many business functions across enterprises, making building IoT security programs crucial. Here are my tips for tackling IoT security, the “Magnificent 7 IoT Security Guiding Principles”:

Characterize: Identify and classify assets and stratify them by business value and risk
Demarcate: Implement network zones with a clear demarcation between IT and OT networks
Understand: Visualize and identify threats and vulnerabilities across networks inclusive of devices, traffic, etc.
Unify: Control access by users and devices across both secure wireless and wired access
Adapt: Leverage Zero Trust to enact adaptive control schemes in real time
Converge: Develop explicit third-party access and risk management protocols including Privileged Remote Access, which are particularly relevant to OT networks to strengthen the security architecture
Beware: The following root causes have led to IoT device security issues in the past
- Static credentials embedded in the device
- Lack of encryption
- No software updates
- API security gaps

How Ordr Can Help

Besides sharing tips on creating an IoT security plan, I also shared the reasons why Nexteer chose Ordr over other IoT security solutions.

One of the key principles of our InfoSec & Privacy program, NEXTINTRUST is to leverage the trifecta of: IDENTITY, INTEGRATION & INSIGHTS across a layered security architecture for enacting adaptive, proactive control strategies.

Consequently, key dimensions needed to enact this strategy across the OT & IoT arena are:

Device Visibility
Policy Definition
Behavior & Risk Analysis
Enforcement of Policies & Standards

Ordr mapped well to Nexteer’s key security dimensions and the NIST cybersecurity framework principles of Identify, Detect & Protect. It can help us transform our security operations across the plant floor and IOT device arena.

Ordr offers a realtime dashboard and key insights such as automatic device inventory, device communication, and device risk analysis. Ordr’s ease of deployment, FIPS certification, and all-inclusive licensing model were also differentiators.

Ready to try Ordr for yourself? Try the Hands-On Lab to see how Ordr will discover and classify all connected devices, profile device behavior, and automate segmentation policies.

Watching the Fireside Chat: Medical Device Security is a Joint Effort webinar from American College of Clinical Engineering (ACCE), with Michael Brilling of Dartmouth Hitchcock and Benjamin Stock of Ordr, I found the following information about Dartmouth Hitchcock’s IoT security journey helpful.

The Healthcare Challenge: IoMT, OT and IoT

Internet of Medical Things (IoMT), Operational Technology (OT), and Internet of Things (IoT) can all be challenging to secure. Organizations have thousands of devices, each with unique systems, and limited ability to patch.

Dartmouth Hitchcock’s key drivers for developing their security plan were gaining knowledge of what was on their network, accurately identifying what each of those devices is doing and what is on those devices. Collaboration is key to protecting IoMT devices, see how Dartmouth Hitchcock used it to develop their security strategy.

Collaboration

Medical device security planning requires collaboration between network, security, HTM Biomed, and leadership teams. Leadership must ensure all connected devices are secure, and make financial decisions when it comes to security solution and device procurement. Security and IT teams need to gain visibility into devices, understand how devices communicate, create segmentation and security policies to properly secure every device. HTM Biomed teams should focus on IoMT devices, keeping track of devices, their vulnerabilities, and any recalls or updates from vendors.

Collaboration is necessary to secure all the different types of devices and mitigate their vulnerabilities. Organization should decide which teams should own each device and what security product best addresses all of their needs, and how to leverage their security tools, The Information Security team, Networking team, and Clinical Engineering (CE) teams at Dartmouth Hitchcock were all involved in the creation of an IoT and IoMT security plan, overseen by a Health Information Technology Officer. Clinical Engineering and HTM Biomed personnel at Dartmouth Hitchcock influenced the creation and implementation of connected device security policies, but allowed security personnel to be the subject matter experts for device vulnerabilities.

By involving multiple teams in creating their security program they made future security endeavors easier. Now if something comes up in the grey area they can direct those issues to the right team.

Choosing a Security Solution

Procuring and implementing a security solution is a team effort. Ensure leadership is involved and sponsoring the project, lay out what problems each team needs to solve and what they want to gain. All stakeholders should evaluate security solutions to decide if all their needs are met by vendors.

Different teams at Dartmouth Hitchcock have different use cases for security tools. They found that Ordr supported their collaboration efforts. For Dartmouth Hitchcock, bringing in Ordr was adding to a stack of collaborative tools. Having previously invested in Cisco tools, Ordr’s familiarity with Cisco was a differentiator. Ordr was able technologically support their existing infrastructure without needing them to change firewall tools or protocols.

Implementation

In implementing their IoMT security program they were surprised by the amount of communication their medical devices required and the amount of personal devices on their network. They had not expected to find as many unique smart speakers. These devices have a lot of network traffic and could potentially compromise HIPPA with their recording capabilities. With device visibility from Ordr, Dartmouth Hitchcock was able to find these issues and create a policy to segment smart speakers onto a guest network where they will not be able to communicate out.

Utilizing Ordr

As a part of their security process, they have encrypted generic passwords that they cannot further protect and are getting more involved in the supply chain process to ensure device purchases have password policies that work for them.

Dartmouth Hitchcock has benefited from Ordr and now that they have completed their immediate security plans, they plan to expand their use of Ordr. Ordr aides in Dartmouth Hitchcock’s micro segmentation efforts, and gives them insight into devices so they can see how often devices are used and how many are needed. They plan to use this information for future procurement decisions.