Don’t Let Security Make You Wannacry
November 01, 2021
Wannacry exploited unpatched instances of the Windows OS on more than 200,000 devices worldwide. After compromising a system, the ransomware executed a break-once-run-everywhere (BORE) tactic in which it disclosed secrets keys and moved laterally and vertically across infrastructure.
Currently the global cost of Wannacry is estimated to be as much as $8 billion in revenue lost from denials of service, restoring and resecuring secret keys, increased cyberinsurance premiums, etc.
The obvious lesson here is that updating embedded software and operating systems is a critical component of modern security. But many of us already knew that. The challenge is that keeping embedded system software and firmware up to date can be exhausting, especially as the complexity and number of managed devices increases.
Of course, the developers of threats like Wannacry don’t care. In fact, Sunil Cheruvu, Senior Principal Engineer of IoT Security at Intel and Co-Chair of the IoT Sub Group at the Trusted Computing Group (TCG), says they’re counting on it.
“Any common vulnerability that’s left unpatched could be exploited to compromise and install malware that, in turn, could compromise the entire network,” he explains.
In his role at TCG, Cheruvu is hoping to reduce the complexity associated with managing, updating, and securing large numbers of IoT devices. To do this, the Working Group is employing a three-pronged approach around protection, detection, and recovery. It allows users to reliably determine whether platforms are in known good state, when corruption has occurred or vulnerabilities haven’t been patched, and persistently update code and configuration data.
These requirements have been defined in three architectural abstractions that simplify updating device firmware and software:
- Resilience Target – A mutable engine that allows persistent updating of device code and configuration data
- Resilience Engine – A module that performs service actions on local Resilience Targets.
- Resilience Authority – The definitive entity that authorizes Resilience Engines to perform servicing actions on a Resilience Target.
According to Cheruvu, the provisions work in sync to ensure that updates are scheduled and there is a “golden image” that the device can fall back to in case of a security event.
No Crying In Security
These efforts are part of the TCG’s “Cyber Resilient Module and Building Block Requirements” specification, which underwent public review earlier this year. Still, the security model it proposes is based on a zero-trust architecture rooted in hardware and software security mechanisms, which will take time to “become the mainstream and proliferate into platforms at the silicon level.
Until then, if a system is attacked, Cheruvu says that the key to recovery depends on your existing investment in cyber defense. Specifically, whether your security is based on sufficient threat modeling that allows you to comprehend risks associated with vulnerabilities and how in depth your mitigation strategies are.
If you haven’t performed a threat analysis like this, he recommends you keep up with trends by monitoring the NIST National Vulnerability Database for “related code libraries impacted by a specific CVE and then implement a correct and complete patching strategy.”
You can also attend Cheruvu’s session at the 2021 IoT Device Security Conference entitled “Secure Update and Cyber Resiliency.” The live session will take place virtually on November 9th at 2:00 PM EDT, where the Intel security expert will explain the TCG’s latest security efforts and answer questions.
Read the abstract below or answer register for free at https://iotdevicesecurityconference.com/registration.php.
Secure Update and Cyber Resiliency
Ensuring that the firmware and software on an IoT device are updated to the latest version is critical to maintain a secure state with all the known vulnerabilities addressed. This talk will set the context with pertinent threat landscape data from NVD database on IoT devices and relate Cyber Resiliency. The TCG guidance will be introduced and concludes with the evaluation of technologies including TPM and DICE to achieve the objectives.