Enhanced IoT Fingerprinting & Security with Cloud-Native DHCP Listening

More Like the Internet of Everything

With the explosion of new devices connecting to the internet, IoT (or, the Internet of Things) really might as well be called IoE (or, the Internet of Everything.) The use cases for always-connected devices span across industries – from facilities that can now better manage energy usage according to peak customer traffic, and medical devices that can adjust medication levels in seconds, to retail warehouses that can track inventory down to the last widget. It’s undeniable that IoT has been a game-changer.

That’s not to say, however, that IoT does not present some unique challenges – specifically for network security professionals.

Who Are You?

The devices themselves tend to run on extremely lean operating systems, which means they don’t run typical monitoring protocols like SNMP. There’s also no possibility of installing extra software like agents. They’re designed to be easy to set up; just point them at an internet connection, which means any user can add an IoT device.

This creates an especially tough situation for IT administrators. After all, an essential part of zero trust security is knowing what is on your network, which means you need to make sure operating systems and firmware are patched and up-to-date to close the gap on any known vulnerabilities. But how can you know what’s on your network if the devices don’t report back specific identification in any way?

This problem has become so common it has a name – “Shadow IoT” – and it’s so prevalent that 80% of IT leaders found devices on their network they didn’t know about.

IoT Fingerprinting to the Rescue!

To combat this, several companies that make security tools like Network Access Control software have begun offering IoT Fingerprinting. This is a way to gather information about IoT devices like model, OS or Firmware, and manufacturer without requiring the devices to report in. While an absolute game changer for helping secure these devices, it is not without its challenges.

The biggest issue is that there is no real standard across devices – most don’t support Simple Network Management Protocol (SNMP) or Windows Management Instrumentation (WMI). Some devices support Universal Plug & Play (UnPNP) or Bonjour, but typically you only find that on consumer devices like a Roku or an AppleTV. Some Cisco devices support CDP (Cisco Discovery Protocol), but that doesn’t cover other vendors; some may use LLDP instead (Link Layer Discover Protocol) but typically you will find that only on phones, video conferencing equipment, and commercial IP surveillance cameras.

Port scanning via Nmap & TCP have more drawbacks – they scale very poorly. Also, with increased pressure on IoT manufacturers to pay more attention to security, more and more devices are being shipped with all ports turned off. And of course, the most basic firewall will raise alarms when a port scan is detected.

MAC address will get you some information, but they pose some challenges too. The first six hexadecimal digits of a MAC address are called the OUI and they identify the manufacturer. This is useful, but also not super accurate in the sense that if you find an HP device on your network, that does little to tell you what it exactly is. It also does not tell you any information about operating systems or firmware.

DHCP at first seems like a great option – when a device connects to a network, its first step is typically to request an IP from a DHCP server. During the DORA process (Discovery, Offer, Request, Acknowledge) much information is passed back and forth, including information to fingerprint the device. Many enterprise switches support a process called DHCP Gleaning, where the switch listens for DHCP requests Switchport interfaces and is then captured as a device sensor and sent along with RADIUS accounting info.

The problem here is that not all switches support DHCP Gleaning. For the ones that don’t, how do you get the information collected by the DHCP server to your network access control software to do the actual fingerprinting? Some solutions have you install an on-prem DHCP forwarder, which signs your IT team up to deal with deploying and maintaining yet another server, upgrades, patches, etc. Even worse, this separate forwarder creates overhead on your network that may impact your users and sensitive traffic.

So, all hope is lost, and there’s no reliable way to accurately fingerprint all your IoT Devices, but there’s great news coming.

Portnox’s DHCP Listener Heads to the Cloud

Keep all the magic of a cloud-based solution – vendor agnostic, no maintenance, no upgrades, no worries – AND get the most accurate fingerprinting of all your IoT devices as part of your comprehensive zero-trust solution!

You can easily configure your network devices to send the data your DHCP server already gathers throughout the course of handing out IP Addresses to the Portnox SaaS DHCP listener.

All you need to enable is a layer 3 device on the same subnet as the devices you want fingerprinted, that is NOT also acting as a DHCP server. You will need to configure the DHCP helper, which will forward this information to us. Most devices support using a DHCP helper – in fact, most devices support running multiple, so no need to sacrifice anything in your current architecture. The helper will forward DHCP and BOOTP broadcasts on directly connected subnets and relay them to the Portnox DHCP listener on port 67.

If you have bandwidth considerations, you can lay them to rest – DHCP is a very lightweight protocol, consuming less than 350 bytes per request on average. Since we are not making DHCP offers, the only bandwidth is from the clients DHCP request that is forwarded from the clients.

So let’s say you have 500 clients. A DHCP lease is typically 24 hours, with clients renewing at 12 hours. That means you’d spend 175 kilobytes of total data every 12 hours…even a 28.8 baud modem could handle that request.

We use this formula to calculate bandwidth:

(((TOTAL # OF DHCP CLIENTS X 350BYTES) X2 FOR 24 HOURS) X8 CONVERT TO BITS)/ 86400 SECONDS IN A DAY

IN EXCEL THE EQUIVALENT FORMULA WOULD READ: =(((500 *350)*2)*8)/86400

This first-of-its-kind SaaS DHCP listener is easy to set up, and opens a whole new world of accurate fingerprinting for IoT Devices.

Log4Shell is Still Lurking.

What Does it Mean for Corporate Networks?

What is Log4Shell & What Does it Affect?

In December 2021, the Log4j vulnerability, also known as Log4Shell, was made public. Log4j is a logging utility for Java that allows developers to output log messages from their applications to various destinations, such as the console, a file, or a database. Like any software, log4j is susceptible to vulnerabilities that can be exploited by attackers. Logging tools are used by developers to keep track of activity within a certain application.

To take advantage of Log4Shell, all attackers have to do is trick the system into logging a unique piece of code. They can then take over their target’s computer and install malware or launch other types of cyber attacks.

Log4j’s handling of serialized data is one area where it might be vulnerable. An attacker may be able to insert harmful code into serialized data supplied to the log4j library in some versions of log4j. The injected code may be executed if the log4j library deserializes this data, which might provide the attacker access to the system without authorization or enable them to carry out other nefarious deeds.

A year later, the issue still posses’ great risks as was noted by an announcement by both the FBI and the Cybersecurity and Infrastructure Security Agency on a network attack by Iranians at a federal civilian executive branch agency. With the relentless rise of attacks and vulnerabilities dominates the cybersecurity landscape, organizations are coping with a compound threat: the vulnerabilities from prior years that may not have been sufficiently addressed as well as the new ones that surface every year.

How Does Log4Shell Affect Corporate Networks?

What makes the Log4j vulnerability even more dangerous is how ubiquitous the Log4j 2 library is. It can be found in large and small services as well as significant platforms like VMware and Amazon Web Services. Organizations across the industry have included Apache Log4j 2 into a variety of applications because it is one of the most used logging frameworks on the internet. This includes well-known cloud providers like Twitter and Stream as well as platforms like Apple, Google, Microsoft, and Cloudflare.

The vulnerability’s impact is amplified in particular by how simple it is to exploit. The Log4j library manages how code and data are logged by applications. The flaw gives an attacker access to a string, which they can use to fool the application into requesting and executing malicious code they have control over. Attackers can thereby remotely take control of any internet-connected service that makes use of specific versions of the Log4j library, regardless of where in the software stack it is located.

The subject is pertinent to more discussions about the software supply chain and how it is more challenging to find and fix vulnerable code since many firms do not have a complete accounting of all the software they use in their systems. However, even if a company has a record of every piece of software it has purchased or installed, those programs may still contain other software components that the end user isn’t precisely aware of and didn’t intentionally choose. Because of this intricate web of dependencies between the impacted platforms and services, patching can be a challenging and time-consuming process.

Attackers are still actively using Log4Shell everywhere they can, from criminal hackers looking for a way into targets’ systems to attackers with the support of the Chinese and Iranian governments who use the exploit in their espionage operations. Moreover, latest analysis released by Tenable Wednesday revealed that the issue still exists as of October 1, 2022, and that 72% of organizations are still exposed to Log4Shell. Some companies that first mitigated the vulnerability are included in that figure. Tenable conducted the study while gathering information from more than 500 million tests.

How can Companies Mitigate This Vulnerability?

Any company can fall victim to Log4Shell. Previous research and data analysis suggest the importance of continually assessing enterprise environments for the flaw, as well as other critical vulnerabilities.

Companies should update their own applications and infrastructure that use Log4j as well as third-party applications immediately. Corporate networks need enhanced security solutions that can immediately and automatically identify vulnerable systems and their dependencies, and help you prioritize the most critical systems to update first.

Prioritizing Java processes that are accessible via public networks and have the potential to leak critical information to malicious intruders is the most effective strategy for solving this problem. Throughout this process, it is important to keep a list of all known and suspected susceptible assets and what is being done with them.

Since malicious cyber actors may compromise an asset and then patch it to cover their tracks, it is crucial to keep track of patching. In order to determine whether a threat actor may have patched an asset, organizations should maintain a detailed record of the susceptible assets they have patched.

Even with proper record keeping, it is important to verify the success of the mitigation. Use the appropriate tools and techniques to scan the patched asset. Utilize different techniques to confirm that the mitigation was properly implemented while keeping a careful eye on the asset. Look out for updates from vendors to the asset’s software.

For information on known affected products and patches, go check CISA’s Github page the GitHub page for CISA. CISA will keep the repository updated when vendors issue patches.

Given the widespread exploitation of this vulnerability, it is also advisable to conduct hunt procedures. Organizations should assume that their assets have been compromised to simulate incident response procedures. It should involve treating assets as compromised, inspecting and monitoring accounts across your enterprise that exist on or connect to assets that use Log4j. These are among the ways that corporate networks can be protected from the vulnerability.

It goes without saying that all firewalls and intrusion detection systems should be updated. The patches could filter or block LDAP and RMI traffic attempting to reach malicious LDAP servers. It is also useful to ​implement general sanitation practices like multi-factor authentication and strict VPN policies. Finally, it was noted that a design flaw in the JNDI Lookup plugin is primarily to blame for this critical vulnerability. By disabling the Jndi Lookup class, the logger will be unable to take action based on data found in the log. JNDI is however disabled by default in version 2.16.0 of Log4j.

What is the Future for Log4Shell & Cybersecurity

Recognizing the problem is the first step in solving a complicated issue like cybersecurity vulnerabilities. Just a few years ago, security breaches were a taboo subject that was rarely addressed outside of the computer sector, and firms that had experienced them were unwilling to reveal and provide specifics. The latest round of public hacks has elevated cybersecurity to the level of board discussion for many businesses. Additionally, customers can now evaluate businesses based on how they choose to handle these incursions.

Another hopeful aspect is the fact that cybersecurity education is becoming more mainstream. Degree programs in cybersecurity are currently available from many prestigious colleges, including Stanford, MIT, and University of California, Berkeley. Similar initiatives are being made in the tech and cybersecurity sectors. There will be a record number of highly skilled professionals in the security sector. They also gain knowledge from the intrusions and weaknesses. News stories from today become case studies and precedents in the law of tomorrow.

It is also encouraging to see that vendors are building new technology with security in mind. While not all technologies will benefit from this, and the environments won’t be future-proofed, it represents a significant shift from decades of development practices. Although it will take time for these modifications to take effect, keep in mind that the choices that led to the creation of Log4Shell were made years ago.

Seeing more public-private partnerships being formed is a step in the right direction. Companies and governmental organizations are working together to exchange knowledge about vulnerabilities and incursions. Organizations are sharing technical information and more comprehensive strategic lessons learned for the good of everybody. In order to respond and address these problems more quickly and effectively, this happens at numerous levels and across a variety of teams.

These are positive moves the security sector sorely needs to take. It raises the possibility that the world will have considerably more robust and resilient cyber defenses in future.

Establishing an Effective Network Security Posture Requires the Unification of Access Control, Risk Mitigation & Endpoint Remediation Capabilities

There’s a movement underway in cybersecurity today to adopt tools for enterprise network authentication. This trend makes sense. After all, authentication is just a fancy way of saying identity verification. Proving one’s identity has been a way of granting one’s access to something since time immemorial. From the secret passwords used to enter Chicago’s famed speakeasies to the retinal scanners used to clear you through airport security today – proving identity ensures trustworthiness and minimizes risk. 

Today, there are three primary methods that organizations rely on for network and application authentication: 

• Password-Based Authentication – Passwords are the most common methods of authentication. Passwords can be in the form of a string of letters, numbers, or special characters. To protect yourself you need to create strong passwords that include a combination of all possible options. Of course, humans are lazy and tend to stick to what they know…meaning the same password gets used almost universally 
• Multi-Factor Authentication –  MFA authentication methods and technologies increase the confidence of users by adding multiple layers of security. MFA may be a good defense against most account hacks, but it has its own pitfalls. 
• Certificate-Based Authentication –  Certificate-based authentication technologies identify users or devices by using digital certificates. A digital certificate is an electronic document based on the idea of a driver’s license or a passport. This is perhaps the strongest means of authentication. 

Now,  Mission Impossible fans might say  hey, wait a minute, biometric authentication is missing off this list.  They’re not wrong, but frankly we’re not really focused on physically breaching CIA headquarters at Langley to get our hands on the coveted NOC list here. Rather, let’s focus on the day-to-day use of authentication techniques adopted by employees during business hours. 

I’m On the Network: Great, Now What?

The efficacy of the network authentication methods above can be debated to no end. That’s not why we’re here. Once a person’s device is authenticated to a corporate network, there are several security considerations that pure-play authentication tools can’t address. 

For example: 

• Is the connected user an employee, guest, or contractor? 
• What’s the user’s role within the organization (i.e. seniority or department)? 
• What can the user access on the network? 
• What’s stopping the user from accessing resources that shouldn’t be available to them? 
• How do you monitor the risk posture of the connected device? 
• How do you know if that user’s device becomes infected with malware? 
• Can you prevent that infected device from moving across the network? 
• Is there a way to return a non-compliant device back to a healthy state? 

Inside that medley of questions are a grab bag of other more detailed and technically intricate considerations that network security administrators may worry about. The point is this: once a user authenticates their device to the network, how can you prevent that device from posing a risk to the organization, even if unintentional? If you’re solely relying on authentication methods for network security, the answer is: you can’t. 

Closing the Gap on Network Security Blind Spots

The list of considerations above boils down to needing three primary capabilities on top of network authentication when it comes to network security. Without these, you’re essentially flying blind, unable to determine the true security posture of your network.  

These capabilities include: 

• Access Control –  If authentication is the first step, employing access control is the second. Here, you’re aiming to dictate who can access what across your network. For example, you may not want Marketing to access Accounting’s VLAN. Why? Because Accounting’s VLAN holds sensitive financial information that has no bearing or relevancy to the day-to-day operations of Marketing. 
• Endpoint Risk Posture Assessment –  The ability to continually monitor the risk threshold of each endpoint connected to your network means knowing how vulnerable you are to compromise. N etwork administrators will typically define a risk assessment policy, which assigns a risk score to each device. This score will indicate the level of risk posed by the device, taking into consideration the status of the device’s firewall, antivirus, applications in use and more. 
• Proactive Device Remediation –  In some instances, the network security team may define a series of remediation policies. Essentially, a remediation policy consists of unattended corrective and preventive actions (CAPA), automatically applied to devices upon every transmission or on a recurring basis. A remediation policy can be used to reduce devices’ risk scores and increase compliance levels for network access. 

Unifying these Security Essentials With NAC

There is only one type of cybersecurity technology that brings together network authentication, access control, risk monitoring and remediation. That’s network access contro l (NAC). NAC, such as  Portnox CLEAR NAC-as-a-Service , unifies these network and endpoint security essentials in a single platform, and helps you fill in these critical gaps that an authentication-only approach fails to cover: 

• Device profiling for contextual understanding 
• Role-based and location-based access control 
• Segmentation through dynamic VLAN assignment upon authorization 
• Risk mitigation through device posture monitoring 
• Device quarantining based on risk score policies 
• Automated device remediation of non-compliant devices 
• …the list goes on… 

Ultimately, anything less than complete network security coverage enforced through a NAC system that brings together these essential capabilities isn’t “network security” – it’s holding on to a hope and a prayer. Rely on standalone authentication tools at your own peril – we’ll just have to say we told you so.

Cyberattacks against mid-market and enterprise organizations are on the rise. From man in the middle (MitM), distributed denial-of-service (DDoS) and SQL injections, to zero-day exploits and phishing, cyberthreats are getting more sophisticated, more prevalent and more costly. But one type of cybercrime reigns supreme: ransomware.

Not-so-fun facts about ransomware today:

• Ransomware cost the world $20 billion in 2021. That number is expected to rise to $265 billion by 2031.
• In 2021, 37% of all businesses and organizations were hit by ransomware.
• Recovering from a ransomware attack cost businesses $1.85 million on average in 2021.
• Out of all ransomware victims, 32% pay the ransom, but they only get 65 percent of their data back.
• Only 57% of businesses are successful in recovering their data using a backup. Source: Cloudwards

COVID-19 is not the only pandemic to emerge and gain a global stronghold as we push on into the 2020s. Ransomware has its tentacles everywhere. No network – corporate or personal – is immune. The financial damage being inflicted, especially at the corporate level, is only getting more and more severe. It has the potential to bring some institutions to their knees and send ripples through the global economy, eventually impacting the everyday consumer.

If we’re to right the ship, the castle walls around our ever-expanding networks must become stronger, more dynamic and more intelligent. It also requires vulnerable entities to step into the realm of psychology. What’s motivating these threat actors? What do we as an organization have that they want?

Stopping Ransomware Just as we wear masks and get vaccinated to protect ourselves from the threat of contracting COVID-19, we must take the proper precautions to limit or eliminate the possibility of a ransomware attack.

Know Your Enemy For most companies, the enemy (or hacker) just wants money. More rarely, they’re after corporate data for some personal gain – again, that could be to sell it or leverage it for other malicious initiatives that could be politically or ideologically motivated. Even more rarely, they’re just looking to tarnish your brand’s reputation.

Regardless of their intent, however, there is one simple commonality: they want to breach your network through clandestine means. The emphasis is on the network even if that network is not physical. Today, it doesn’t need to be. In 2022, your network is merely where your corporate endpoints are in use, and ultimately where data accessed via those devices is stored.

The attempt to understand the enemy has given rise to threat intelligence services that can help you profile your attackers. Such tools can determine whether these individuals have a hold on your network, endpoints and/or users. But threat intelligence alone isn’t enough – organizations need to know themselves, which requires a unified stack of security technologies and tactics that when deployed in conjunction with one another can thwart even the most sophisticated ransomware attack.

Know Your Organization Corporate endpoints serve as the initial entry points to any corporate network. These devices store proprietary, sensitive data – the hostage in this hostage taking scenario. To effectively secure the network requires instituting a bevy of endpoint security measures as part of a larger security posture strategy. Frameworks such as the CIS Critical Security Controls outline these best practices.

Ultimately, however, organizations can start with these basics:

• Use Multi-Factor Authentication (MFA) when possible; discourage the use of corporate applications that do not allow for MFA activation; use a password manager when MFA is not available.
• Have a mechanism to isolate any infected machine in use across your network to prevent lateral movement and further spread. Network access control (NAC) solutions have been purpose-built to do just this.
• Employ an email content inspection software that proactively inspects all links and attachments within incoming emails; this aids in stopping malware via phishing attempts.
• Deploy an Endpoint Detection & Response (EDR) program on all machines – managed devices, BYOD & IoT / OT – that runs 24/7 with automatic system updates.
• Ensure you’ve instituted proactive device remediation for all connected endpoints that can automatically update firewalls, antivirus and VPN services in use. NAC also incorporates this functionality.

If you follow those principles, you can win every battle. As legendary military strategist Sun Tzu wrote in his classic work, The Art of War: “If you know the enemy and know yourself; you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.”

In early December 2021, a significant vulnerability in a common piece of Java-based code by Apache set the world on fire…at least for IT security professionals. Within 24 hours of disclosure, leading software companies like IBM, Oracle, Amazon, and Cisco went into damage control, seeking to assess the level of potential damage they had and could expect to sustain, and frantically working on patches to prevent their customers’ data from being siphoned off and sold to the highest bidder. The event was fitting for 2021, a year marked by disinformation, confusion and fear.

“The log4j vulnerability is the most serious vulnerability I have seen in my decades-long career,” Jen Easterly, U.S. Cybersecurity and Infrastructure Security Agency director, said in a interview on CNBC.

As December 2021 dragged on, related flaws continued to surface, sending those same software companies back to the drawing board to repackage and test yet another series of patches for customer distribution. This after communicating initial patches to customers that often took a whole weekend or more to implement. It didn’t bode well for a happy holiday season for already resource-strapped IT teams who had been dealing with a plethora of network security issues for two years brought on by the COVID-19 pandemic and the overnight surge of remote workforces.

Depending on the version and the type of application, the log4j vulnerability’s scope and severity ranged from focused and moderate to widespread and critical. Some vendors were hit harder than others, such as Cisco, whose Identity Services Engine system saw more than 120 configurations affected. Others, like Microsoft, capitalized on the opportunity, rolling out solutions to proactively seek out and manage affected files, software, and devices impacted by log4j.

Widespread & Hard to Pin Down

The extent of the impact of the log4j vulnerability was in many ways foreseeable. The root cause: human “ingenuity” that could otherwise be called laziness. Rather than reinventing the wheel by creating a new set of code for each application that is developed, software engineers now often patch together existing libraries and packages for shared functions to generate much of the codebase that runs critical applications.

Like many noteworthy cyber incidents before it, the Log4j vulnerability helped us open our eyes to just how many software dependencies exist across enterprise systems — no matter if they are designed for security, operations, or sales. It also highlighted to us just how hard it is to mitigate and develop stopgaps for these vulnerabilities when they are so far-reaching and barely understood, especially in the early days of disclosure.

While the ability to utilize the same code across many systems does offer value in terms of time to market, the problem is that many prefabricated libraries and open-source projects are interdependent, resulting in a web of dependencies that drill down many layers. Inevitably, this creates a scenario where indirect dependencies that can be nearly impossible to identify and troubleshoot when a vulnerability is unearthed.

For the average Joe IT manager, this just means that the software you licensed was likely built using common third-party code you’re not even aware of that likely contains some vulnerabilities. Multiply this shared code across other enterprise systems in your stack – and queue the headaches.

Avoiding Issues Like Log4j as an End-User

Java is a programming language that’s been around for a while and is commonly found in older on-premises software. As such, it should not come as a surprise that the classic tech giants of the world wasted no time prioritizing the log4j vulnerability – they had billions of dollars in revenue at stake across their suites of legacy software. And to make matters worse, the issue didn’t just impact Java-based systems, but also Java components and development frameworks that rely on it including Apache Struts2, Apache Solr, Apache Druid, Apache Flink, ElasticSearch, Apache Kafka and many others. We’re talking about tens of millions of impacted systems in use at any given moment today.

How to avoid such widespread vulnerabilities is more than a question of choosing which apps are programmed with which language(s) – software engineers can debate the efficacy of each until they are blue in the face. Rather, it’s a question of how to consume enterprise software. For organizations more reliant on cloud native software-as-a service applications, IT employees almost certainly experienced fewer lost weekends dealing with the log4j problem.

This is because SaaS has a shared responsibility model, whereby both the vendor and the customer are responsible for the security of the application in use. The onus is on the SaaS vendor to deliver secure products and services, while the responsibility for configuring, managing, and using the product lies with the customer. In the case of Log4j, most of the heavy lifting falls on the SaaS vendor. They must ensure that their products are not affected. If they are, it is up to them to provide transparency into how the system is being patched and how the vulnerability is being mitigated.

While this differentiation seems simple, implementing a cloud-first IT strategy – no matter if universal or by function – can mean retaining IT talent by avoiding burnout, optimizing your IT budget by eliminating the need for third-party professional services, and so much more.