The IT Nerd

The ransomware attack on a pipeline company that was perpetrated by a criminal gang which I told you about over the weekend is really starting to cause problems now. Reports are surfacing that gas stations along the east coast of the US are running out of fuel. And while Canada isn’t affected as I type this, that could change. The bottom line is that this is likely the most disruptive ransomware attack that I’ve ever heard of.

I reached out to cybersecurity company Keyfactor (https://www.keyfactor.com/) for there thoughts on this hack and I got two responses back. Chris Hickman, chief security officer for Keyfactor had this to say:

“There is a side narrative around this story regarding security and critical infrastructure and the need to secure all elements of infrastructure – security cannot be an afterthought but rather needs to be designed and planned at every step. Good security is rarely retrofitted (retrofittable), especially when it comes to IoT devices. It needs to be built in as a core fundamental and planned for to exceed the anticipated lifetime of the product it is securing.”

Mark Thompson, VP of product management for Keyfactor had this to say:

“Even as use cases evolve, applying best practices and avoiding common pitfalls will go a long way in ensuring security is established at design, and sustained through the device lifecycle. Here are three common pitfalls and the actions manufacturers can take to avoid them:

1. Hardcoding credentials on to the device: A number of IoT devices are inherently limited due to hardcoded credentials – a common outcome when manufacturers embed passwords or shared keys into firmware to help simplify development or deployment at scale. If accidentally leaked, threat actors or individuals without proper authority can access an entire fleet of devices. Ensuring strong mutual authentication between any connected devices or applications within the overall deployment is key.
2. Unsigned Firmware: A larger number of IoT devices go to market with unsigned firmware. As more devices connect, the need for firmware signing grows. It’s strongly recommended that device makers sign firmware with a tightly controlled code signing certificate that only permits access to authorized individuals; another critical step is to keep an internal audit trail of all code signing activities. Utilizing a trusted public-private key pair is the most effective means to secure device firmware and have the ability to check and verify the device’s signature before booting the device or installing firmware updates.
3. Weak authentication and encryption: Implementing strong cryptographic keys and algorithms that match the device’s use case applications are critical to hardening its long-term security. Equally important is ensuring sufficient entropy to produce an encryption key; randomness in key generation is priority through this process.

The bottom line is that we have now seen how wrong things can go when your IT security isn’t on point. Hopefully companies do what is required to keep their IT infrastructure safe.

This entry was posted on May 12, 2021 at 1:28 pm and is filed under Commentary with tags Hacked. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.