Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

02:30 PM
Jose Nazario
Jose Nazario
Connect Directly
E-Mail vvv

Tunneling Through The "Walls" Of IoT In The Enterprise

The movie "Die Hard" has a thing or two to teach us about the pitfalls of the Internet of Things.

Much has already been written about the threat that Internet of Things (IoT) devices pose to the larger Internet. Think about the October 2016 Mirai botnet attacks and the discussions since then. But this column isn't about that. It's about the specific threat that Internet-connected devices pose to an enterprise network, and how we can intelligently apply network architecture to achieve security aims.

For an intranet, IoT devices create an overlay network comparable to the vast high-rise Los Angeles commercial building in Die Hard, where most of the 1988 movie takes place. In the film, Bruce Willis plays the role of New York City cop John McClane, who visits his estranged wife at her office Christmas party in Nakatomi Plaza in L.A. The party gets attacked by terrorists, and McClane saves the day with some ingenuity, firepower, and brawn.

L.A.'s Fox Plaza, location for Die Hard's fictional Nakatomi Place  
Image Source: Capture Light via Shutterstock

L.A.'s Fox Plaza, location for Die Hard's fictional Nakatomi Place
Image Source: Capture Light via Shutterstock

In a recent blog post entitled "Nakatomi Space," Geoff Manaugh (author of the BLDGBlog architecture blog and the book The Burglar’s Guide to the City, both of which I recommend for any cybersecurity professional) describes the movie as a great study in the unintended effects of architecture. He writes:

Over the course of the film, McClane blows up whole sections of the building; he stops elevators between floors; and he otherwise explores the internal spaces of Nakatomi Plaza in acts of virtuoso navigation that were neither imagined nor physically planned for by the architects.

His is an infrastructure of nearly uninhibited movement within the material structure of the building.

The parallels to cybersecurity are striking: network and security architects typically design networks to meet the obvious business needs of connectivity and speed. But this approach creates unintended consequences. Look around your office now and you’ll probably see network-connected printers (quite common for about two decades), VoIP phones (standard for a decade now), and probably IP-enabled cameras and building controls such as HVAC, and door and building access mechanisms such as proximity card readers (increasingly common in the past decade). In both network security and Nakatomi Space, the infrastructure was created to enable occupants to use and traverse the space, or systems, as the case may be.

Without this out-of-sight support infrastructure, the usability of the main space dramatically drops. An additional challenge is that both types of infrastructures are typically invisible from a defense standpoint. We all tend to overlook the real and digital equivalent to air ducts and windows. The attack surface  this creates for enterprises was demonstrated by Ang Cui in his Stepping Pwns talk. He and his team at Red Balloon were able to compromise a network without touching a standard computer. This avoids the bulk of the defenses installed: antivirus, logging, file, and process integrity checks, for example, undermining the majority of an enterprise's security efforts.

Applying the lessons of physical space security to network defense has been on my mind for many years. Since I first visited Halifax, Nova Scotia, about a decade ago, I've been eager to try and apply fortification lessons to network security. The fort at Citadel Hill, for example, "connects" via a network of flags and signals to a network of towers in the harbor waterway leading to the city. This enables defenders to signal the approach of enemy ships, giving the city hours to raise their defenses. However, in the years since I began reading Manaugh, I’ve instead begun to focus my thinking on how intelligent building designers utilize architecture and landscape features to actively defend their inhabitants.

I’m reminded of the writings of Major Gen. Sir Ernest Dunlop Swinton’s Defence of Duffer's Drift, a 1904 novel about lessons learned in the defense of a river during the Boer War. In the story, the protagonist reveals the strengths and weaknesses of various fortification positions. A combination of natural and manufactured structures alerted defenders to attackers as they approached, and forced them to attack from a weaker position. These types of insights have gone largely ignored in network security lessons. When designing networks, the castle wall narrative has been prevalent for too long - at the expense of designs that parallel security features of well-defended cities.

Network security architecture can, and should, learn a lot from building and city architecture. The lessons can be abstracted to achieve the same goals, namely spotting intruders as they approach, and confusing them should they gain entry, or at least slowing their progress. Historically, we architected networks with a distinct management network and a separate data network. The management network requires combinations of physical and logical controls to limit access to a small set of administrators. With an increasing number of IoT devices, some administrators have advocated building a similar separate network for control devices to keep them away from the data that comprises corporate assets. This would, at the least, prevent the "Stepping Pwns" attack whereby attackers bounce around between computers and data once inside the network.

If the above discussion suggests anything, it's that corporations shouldn't be passive in their IoT network security. Instead, admins should ensure that they not only have visibility into what's going on in the Internet-connected device network, but also guarantee that visibility through the entire structure of the network. Anyone who moves through the infrastructure must leave an indelible trail and be thwarted at every turn, lest they treat it as an unobstructed air duct through Nakatomi Plaza. I urge companies to turn those (virtual) air ducts into a confusing set of passages, perhaps even traps, and prevent thermostats from becoming stepping stones.

Related Content:

Dr. Jose Nazario is the Director of Security Research at Fastly, and is a recognized expert on cyberthreats to ISPs, network subscribers, and enterprises from cybercrime and malware. He was previously the Research Director for Malware Analysis at Invincea Labs. Before his ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
2/23/2017 | 9:00:24 AM
This is http://www.survivalindeed.com/">tactical info
Love The Internet Of Things & Really Great Article Thanks :) 
10 Ways to Keep a Rogue RasPi From Wrecking Your Network
Curtis Franklin Jr., Senior Editor at Dark Reading,  7/10/2019
The Security of Cloud Applications
Hillel Solow, CTO and Co-founder, Protego,  7/11/2019
Where Businesses Waste Endpoint Security Budgets
Kelly Sheridan, Staff Editor, Dark Reading,  7/15/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "Jim, stop pretending you're drowning in tickets."
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-07-16
An input validation issue affected WhatsApp Desktop versions prior to 0.3.3793 which allows malicious clients to send files to users that would be displayed with a wrong extension.
PUBLISHED: 2019-07-16
A vulnerability in various versions of Iomega and LenovoEMC NAS products could allow an unauthenticated user to access files on NAS shares via the API.
PUBLISHED: 2019-07-16
Norton Password Manager, prior to, may be susceptible to an address spoofing issue. This type of issue may allow an attacker to disguise their origin IP address in order to obfuscate the source of network traffic.
PUBLISHED: 2019-07-16
Citrix SD-WAN 10.2.x before 10.2.3 and NetScaler SD-WAN 10.0.x before 10.0.8 allow Directory Traversal.
PUBLISHED: 2019-07-16
Citrix SD-WAN 10.2.x before 10.2.3 and NetScaler SD-WAN 10.0.x before 10.0.8 have Improper Input Validation (issue 5 of 6).