{"id":2696,"date":"2017-01-02T00:00:39","date_gmt":"2017-01-02T08:00:39","guid":{"rendered":"http:\/\/192.168.3.4\/?p=2696"},"modified":"2018-01-09T06:51:12","modified_gmt":"2018-01-09T14:51:12","slug":"security-and-reliability","status":"publish","type":"post","link":"https:\/\/www.cloudacm.com\/?p=2696","title":{"rendered":"Security and Reliability"},"content":{"rendered":"<p>In the later part of 2016, there was an event that captured the attention of the public.\u00a0 The internet of things had it&#8217;s major debut as a tool by those with bad intent.\u00a0 It had been seen as a serious problem by security professionals long before.\u00a0 Now the threat was real.\u00a0 Automation should still require attention.\u00a0 The IoT world is not something that should be left to default, unabated to run as is.\u00a0 Unlike traditional user interface devices that would be turned off after use, the IoT runs while we sleep.\u00a0 This is one of many reasons why the IoT should be scrutinized.<\/p>\n<p><iframe loading=\"lazy\" title=\"DEF CON 23 -  Peter Shipley - Insteon: False Security and Deceptive Documentation\" width=\"640\" height=\"360\" src=\"https:\/\/www.youtube.com\/embed\/dy1LTQLmPtM?feature=oembed\" frameborder=\"0\" allow=\"accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share\" referrerpolicy=\"strict-origin-when-cross-origin\" allowfullscreen><\/iframe><\/p>\n<p>In the posts to follow, I&#8217;ll be covering home automation and monitoring using the raspberry pi, arduino, and xbee.\u00a0 The purpose of which is to identify and reduce waste.\u00a0 The hidden challenge will be the reliability and integrity.\u00a0 This will be the focus of this post.\u00a0 I&#8217;ll be covering methods to reduce issues should a fault occur.<\/p>\n<p>While researching, I came across several brands that offer completed kits.\u00a0 The home automation devices they offered are a great low cost option, versus creating devices from scratch.\u00a0 It became clear that security is a concern if I were to use a shrink wrapped product.\u00a0 However, the problem with marketed products is the obfuscation.\u00a0 The mystery is underneath the shiny plastic cover or missing from the manual included in the box.\u00a0 It&#8217;s understandable from the businesses point of view.\u00a0 That is proprietary knowledge and intellectual property.\u00a0 Still, if the device enters my home, I must know how it operates and be aware of any risks it poses to it.<\/p>\n<p>Here is a guideline of precautions to take with some logic behind them<\/p>\n<ol>\n<li>Do not connect it to the network<\/li>\n<li>Ensure physical security<\/li>\n<li>Create a system recovery image<\/li>\n<li>Provide redundancy with hardware<\/li>\n<li>Backup data with 3-2-1 methodology<\/li>\n<li>Remove privileged access<\/li>\n<li>Use 2FA and strong passwords<\/li>\n<li>Athenticate over secure channels<\/li>\n<li>Segment the network if connections are required<\/li>\n<li>Standby or power off resources during time of non-use<\/li>\n<li>Use a firewall<\/li>\n<li>Promptly patch systems when updates are released<\/li>\n<li>Run virus and malware scanning processes<\/li>\n<li>Log activity and replicate it<\/li>\n<li>Continue to learn<\/li>\n<\/ol>\n<p>The simplest method is to not connect to the internet.\u00a0 However, even out of band devices will come in contact at some point through a third party.\u00a0 Wireless devices have an additional challenge.\u00a0 Unlike wires that offer some type of physical security, the radio waves can not be contained.\u00a0 I equate it to having a data jack floating in space that anyone can attach to.\u00a0 Is the data encrypted?\u00a0 Is it discernible?\u00a0 Why leave that to chance?\u00a0 Garage door keyless entry has been hacked.\u00a0 Just like my data jack analogy, now it&#8217;s a door handle flouting in space.<\/p>\n<p>The three traditional methods have been firewall, patching, and virus protection.\u00a0 This is fine for simple desktops.\u00a0 For systems and services these three methods are just not enough.\u00a0 In addition to them you should have a way to operate if a system is downed for any number of reasons.\u00a0 System recovery and data recovery are key to stable operation.\u00a0 System recovery involves either image recovery of the running operating system or transferring operation to parallel hardware.\u00a0 Data recovery is a simple matter of backups.\u00a0 The 3-2-1 method is a resilient model to follow.\u00a0 Having the data available is key.\u00a0 Make 3 copies, use 2 types of media, and keep 1 off site.<\/p>\n<p>Another commonly overlooked method is privileged access.\u00a0 Most desktops operate with a user that has full privileged access to the operating system resources.\u00a0 Processes run by the user also have this same level of access.\u00a0 As you can see, if a user happens to have a process run while active, that process has unfettered authority to do anything on the system.\u00a0 Limit user privilege and you limit the processes that run while that user is active.<\/p>\n<p>Systems are more likely to have some facet of authentication security built in.\u00a0 This means they most likey have default credentials.\u00a0 Change them, Really!\u00a0 Do not keep any of it the same.\u00a0 Some Firmware has been documented to have embedded credentials in it.\u00a0 These back doors are damning.\u00a0 For that reason, enable 2FA if possible.\u00a0 If your device has a web based login, use encryption.\u00a0 Usernames and passwords entered on standard http or ftp can be captured and easily seen.<\/p>\n<p>One more item is network segmentation.\u00a0 Place your services in networks that serve a specific function.\u00a0 VLans provide one method of this by placing desktops in one network, servers in another, devices in another, etc.\u00a0 It is useful to identify the purpose of your network, services, and users.\u00a0 This is unique to you.\u00a0 Using the defaults for every situation is a risk not worth taking.<\/p>\n<p>For systems and services not in use after hours, how about power save and standby.\u00a0 This not only ensures no access, but also saves energy.\u00a0 Why does a file server need to be available at 3am if no one is around?\u00a0 If services can be turned off or processes stopped when no use is expected, this decreases the chance of misuse.<\/p>\n<p>Nothing is going to cover it 100 percent.\u00a0 Something is going to occur that may not be motivated with malice.\u00a0 Log system activity.\u00a0 If an insident does happen, you&#8217;ll have a record of it.\u00a0 These logs are targets as well.\u00a0 Due to the threat of being found out, a bad actor could attempt to cover thier tracks by purging the logs.\u00a0 Replicate the logs in realtime.\u00a0 Send that information to a place far removed.\u00a0 If your system is reduced to a pile of ruble, the record of it will still be available.<\/p>\n<p>Lastly and most importantly, continue to learn as new techniques arise.\u00a0 Complacency is a killer.\u00a0 If that comfortably dumb feeling of thinking you&#8217;re covered settles in, shake it out.\u00a0 The landscape hasn&#8217;t settled, neither should you.<\/p>\n<p><iframe loading=\"lazy\" title=\"2017 Security Predictions  #3   IoT botNet Zombies\" width=\"640\" height=\"360\" src=\"https:\/\/www.youtube.com\/embed\/OhiYutuPkWA?feature=oembed\" frameborder=\"0\" allow=\"accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share\" referrerpolicy=\"strict-origin-when-cross-origin\" allowfullscreen><\/iframe><\/p>\n<p>Demystifying IoT should be a priority.\u00a0 IoT devices are like any ordinary computer with network access.\u00a0 Once you recognize that potential, you&#8217;ll have a better understanding and can make the decisions needed to ensure security and reliability.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>In the later part of 2016, there was an event that captured the attention of the public.\u00a0 The internet of things had it&#8217;s major debut as a tool by those with bad intent.\u00a0 It had been seen as a serious problem by security professionals long before.\u00a0 Now the threat was real.\u00a0 Automation should still require attention.\u00a0 The IoT world is not something that should be left to default, unabated to run as is.\u00a0 Unlike traditional user interface devices that would&#8230;<\/p>\n<p class=\"read-more\"><a class=\"btn btn-default\" href=\"https:\/\/www.cloudacm.com\/?p=2696\"> Read More<span class=\"screen-reader-text\">  Read More<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-2696","post","type-post","status-publish","format-standard","hentry","category-rd"],"_links":{"self":[{"href":"https:\/\/www.cloudacm.com\/index.php?rest_route=\/wp\/v2\/posts\/2696","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.cloudacm.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.cloudacm.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.cloudacm.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.cloudacm.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2696"}],"version-history":[{"count":11,"href":"https:\/\/www.cloudacm.com\/index.php?rest_route=\/wp\/v2\/posts\/2696\/revisions"}],"predecessor-version":[{"id":2714,"href":"https:\/\/www.cloudacm.com\/index.php?rest_route=\/wp\/v2\/posts\/2696\/revisions\/2714"}],"wp:attachment":[{"href":"https:\/\/www.cloudacm.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2696"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.cloudacm.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2696"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.cloudacm.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2696"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}