8 hours 10 minutes
Hi, I'm Matthew Clark and this is less than 1.50 wasp I o t Top 10, part one.
In this lesson, we're going to discuss the first five of the O Wasp Coyote Top 10. This includes week decibel or hard coded passwords, insecure network services, insecure ecosystem interfaces,
lack of secure update mechanism
and use of insecure or outdated components. So let's get started.
So here it is. The old WASP Coyote Top 10 list.
The 2018 edition, which is the most current at this time.
The WASP Coyote Top 10 list comprises the top 10 things that you should avoid at all cost. It's a list of weaknesses, and if it's on this list, then it's a pretty good reason for it.
Daniel Mesler is on the team that developed to put together Theo Wasp Coyote Top 10. He gave a talk in October 2018. The link is in the reference materials in which he spoke about the methodology of how this list was put together.
They looked at a lot of different databases, such as M V D bug crowd, VRT and other sources, as well as I ot projects such as the C s a nest insa,
and they took that data set and normalized and sort of it
to find the most common problems affecting I o T. Security. So let's start with number one
So number one week decibel or hard coded passwords. This includes consumer issues such as weak passwords, either password on the top password lists, or guess able passwords such a czar, last name or reuse of existing passwords across different accounts
for the O. A. M. It could be hard coded passwords and you see this a lot and legacy i o T devices
credentials could be located on a public repo in documentation or something you could easily Google.
And that password is reused. You know, that's just not common among just consumers
or the OM could forget Thio, disable a backdoor or include a back door and credentials event are used to access the device
and California i o T Law. It attempts to address this a little bit where you can discuss that more module seven
but passwords. One thing to remember. Passwords are an input for botnets. 2020 risen Data breach investigations report found that 80% of hacking related breaches are still tied. Passwords
number two is insecure network services.
This includes vulnerable services that could be used on the device or throughout the ecosystem,
which in turn could lead to compromise.
Insecure services could be Tell Net or http or ssh,
it could be services. They're just left running on the device. You don't necessarily need to be or open Damien's that air. Just listening for connection.
It could be the aims that failed a lock down ports on the device OS.
I think about 1st, 2nd what you could find and showed in, And that should help give you an example of kind of what this is talking about
again. Don't feed the bottom. That
an example that combines 1st and 2nd entries on the top 10 list is the Mirai botnet.
It is peak in 2016. It had consumed over 600,000 coyote devices,
and it did this by discovering open till net ports and then brute, forcing the log in and generally doing bad stuff from there.
Number three is insecure ecosystem interfaces.
Now for number three. It's all the common ways that you would get into an I O. T. System or or ecosystem
for the 2018 top 10 list. They combine a couple different things from the 2014 top 10 list to come up with this new entry.
They combine the insecure Web AP Ice and interfaces along with insecure backhand. AP Ice Cloud, AP Ice and Mobile AP Ice.
Now, for this particular 11 of the things to be sure of is to make sure that your application code and your websites are not vulnerable to common things such as SQL Injection cross site scripting a cross site request forgery,
the Palo Alto 2020 Unit 42 i o T Threat Report. That's a mouthful.
But this report found that 72% of healthcare V lands mixed there I o. T. And I t assets together, making it possible for malware to spread from the computers to vulnerable i o T devices.
The 2018 net Scout Threat Intelligence report found something really interesting. They found that the average time it took for a I ot device to be attacked
once it was connected to the Internet was only five minutes.
Think about that.
Number four is a lack of secure update mechanism
in less than 1.2. We mentioned that 57% of all I o T devices were vulnerable to medium and high severity attacks.
So lacking a patching process remains a major factor
for old vulnerabilities as well as credential attacks using known passwords.
Number four only OAS coyote Top 10 includes ah lack of authentication for updates
which could introduce rogue devices into the ecosystem
or could be leveraged for attacks on other legitimate ISIS
or could. It also includes a lack of authentication, which could lead to malicious updates
and also related to this is attacking the update process itself, or supply chain attack,
where malicious updates are injected into a trusted channel.
The C C cleaner attack is a well known example of this
threat. Actors can target specific regions or industries. An example is Petra or not, Pitta attacks
when third actors can target isolated environments like industrial O. T or I. C s.
Number four also includes a lack of secure delivery, such as sending the update in clear text or not signing the update.
It also includes a lack of firmware validation. How do you know that the firmware is valid and proper
conditions where the security of date changes. User preference is also an issue where the update rolls back, the security settings back to default or worse, the customers not notified of the change.
Also including this is the lack of anti roll back for security patches. And maybe that's a design decision. But the customer would need to know that
Number five is the use of insecure or outdated components.
This includes both vulnerable services and vulnerable interfaces, both of which we've already discussed.
It also includes insecure components found within the supply chain,
which could be depreciated, libraries, software or re use of insecure components.
It could also be re use of compromise components.
Did you know that two years after the Equifax breach, the 65 of the Fortune 100 companies downloaded the same vulnerable version of Apache struts that was used in that reach? I still wonder why,
so this one also includes insecure code or components and board support packages or software development kits, which are used in the attitude hardware development process.
We have a case study about urgent 11 that will look at a module four that will kind of cover them
and also includes altering the OS of this insecure or using a vulnerable operating system to begin with
the four Scout 2020 Enterprise of Things security report. I have no idea why these threat reports have such long titles, but they dio. But anyways, this particular third report
found that embedded when 27 unsupported version represents
a major risk. It's used in 30% of managed devices in manufacturing and 35% of devices and health care.
In this lesson, we discussed five of the WASP I O T Top 10,
which includes the week ungettable or hard coded passwords,
insecure network services,
insecure ecosystem interfaces,
lack of secure update mechanisms and use of insecure or outdated components.
Join me for the next lesson where we'll continue our discussion.