There has been a recent WikiLeaks posting (https://wikileaks.org/ciav7p1/) that has caused some amount of news, and lots of patches coming out to fix revealed IT Security vulnerabilities. This is an interesting reminder that nothing is absolutely secure. There were the actual application vulnerabilities discovered. There was the loss of the “attack tools” by the CIA to third parties. Now there’s the impact to many users of those tools where many attackers are taking notice and building their own attack methods.
CLASSE User Take Aways
While we cannot and do not try and secure everything, it is important to understand that vulnerabilities exist in all products, and there is a good chance eventually whatever attack vector is discovered, more people will figure it out or find it out over time. This is why patching is so important – if you’ve patched before the attacker who is targeting you actually attacks you, you are protected. The problem is that there’s a shortened period between when a vulnerability is discovered, a patch is created and an attack is wide-spread. So patch as soon as is possible. Also realize that you’re far better protected if something isn’t on the internet. So if you’re looking to buy something that has network capabilities – consider if it needs to be accessible from the internet. Think about if the network connectivity actually helps you do something useful. There are three options we usually consider.
Make Sure the Device Can Be Updated
If the device gets regular security and stability patches, it might be safer to allow remote access. Make sure you patch it just like a computer or mobile device. If it can’t be updated or isn’t updated regularly, go to the next option.
Don’t Connect to the Internet
Put behind a firewall. This could be the CLASSE firewall at work, or your home router / firewall, or even a special firewall just for this device. Block connections from outside your network to the device. This way, you limit who or what can connect to it. Don’t enable call outs to the vendor from the device, or block those at the firewall if you don’t need that functionality. In this case, you’re putting some of your protection in the security of other devices on your network. You connect to it from an up-to-date computer that is on your network, and doesn’t go off the network.
Disconnect the Device From the Network Entirely
Many devices are “internet-enabled” but that functionality is more “useful” as a way for someone to hack your device, house, and other devices, than in enhancing the device for the owner. I’m thinking of many appliances like fridges, TVs, scopes and hardware control, or specific use computers. Will your life be affected if your fridge can’t download the weather to an indoor screen? But what if an internet worm “bricks” that fridge? Even “smart TVs” are generally not that smart a thing to connect to the net. Use something like a Roku or Amazon FireTV that is cheap, updated, and easily replaceable. You don’t want to risk a $800 big screen TV to being remotely bricked and in some cases ransomed versus a $40 easily replaceable plug-in device.
Conclusion
It’s important to think like an attacker or at least be paranoid. We all used to plan for “non-state” attackers level of resources, sophistication and targeting, figuring we really couldn’t stop a “nation-state” level attack such as a targeted CIA operation. Now we know that while most people don’t need to worry about the CIA mounting an operation against them, their tools can “escape” for others who may well target us to use against us. So we all have to take security that much more seriously. We need to patch and isolate and use layered defenses.