Countdown to Black Hat: Top 10 Sessions to Attend — #4

With Black Hat USA 2019 fast approaching, we continue our blog series highlighting training sessions and research briefings that we think Qualys customers will find relevant and valuable. Our pick this week is the training session An Introduction To IoT Pentesting With Linux.

The course offers “a hands-on, example-driven introduction to IoT hacking” and focuses on tactics for assessing and exploiting devices. Participants will learn why perimeter security falls short for securing private LANs from Internet attackers, and how vulnerability assessment techniques can be implemented using the Bash Unix shell and command language. Such skills are critical today due to the booming popularity and weak security of Internet of Things systems.

The two-day course is aimed at anyone wanting a hands-on introduction on using Linux to perform software-based security analysis of embedded Linux devices. The instructor, Craig Young, is a Tripwire computer security researcher who has used the course’s techniques to identify over 100 CVEs on embedded IoT devices. He has discovered dozens of vulnerabilities in products from Google, Amazon, Apple and others.

Why we’re recommending it

As billions of traditionally offline products — security cameras, home appliances, medical equipment, vehicles, industrial machinery — get connected to the Internet, the attack surface grows exponentially. “Put as simply as possible, the huge increase in the number of IoT devices in use pretty much automatically leads to an accompanying rise in security vulnerabilities,” Frederic Paul, an editor at New Relic, wrote.

Compounding the problem is the notoriously weak security of many of these newly connected “things,” due to several reasons, including IoT manufacturers’ limited expertise and awareness of IT security. In December, the IoT Security Foundation, a non-profit devoted to making IoT systems safer, published results of a study showing that under 10% of consumer IoT companies follow vulnerability disclosure guidelines, and only about 1% abide by a 90-day deadline to fix reported issues. “In a hyper-connected world, this is crazy,” said John Moor, Managing Director of the IoTSF.

Likewise, legacy infosec products often can’t detect IoT devices nor assess their security posture, leaving organizations with little visibility and control over these systems. 

Unsurprisingly, hackers have had a field day compromising IoT systems. They have hijacked IoT devices and networks to massively distribute malware, launch large-scale DDoS attacks, steal data, and do other nefarious deeds. “Many IoT devices are easier to hack than traditional IT devices, making them the endpoint of choice for the bad guys,” Zeus Kerravala, ZK Research founder, wrote.

The U.S. National Institute of Standards and Technology (NIST) is concerned. In June, NIST published a report to help federal agencies “better understand and manage the cybersecurity and privacy risks associated with their individual IoT devices throughout the devices’ lifecycles.” The 44-page document is just the first in a planned series of publications about this topic.

Some see a link between IoT security problems and the use of Linux on IoT devices. Per Buer, IncludeOS CEO, believes that Linux is far from perfect as an embedded OS. Meanwhile, Nacho Sanmillan, an Intezer Labs security researcher, recently said that most Linux malware “is either tied to IoT, DDoS bots or cryptominers.”

Consequently, we think this course could be helpful for security pros interested in getting up to speed on IoT security, since they will learn about common design choices on embedded Linux devices and where to look for weaknesses. 

Qualys at Black Hat USA 2019

A Diamond Sponsor, Qualys will again have a major presence at Black Hat USA 2019, which runs from Aug. 3-8 at the Mandalay Bay in Las Vegas. We’ll be there explaining how we can help organizations protect their hybrid IT environments without slowing down their organizations’ digital transformation.

We invite you to stop by our booth (#204), enjoy a cup of coffee from our Nespresso bar, and chat with our product managers and technical account managers. We’ll raffle hi-tech prizes and give out tote bags after each presentation, including:

• Exclusive product previews, including of our new Threat Detection and Response Platform
• Best practices presentations from leading enterprises
• An overview of how Qualys Cloud Platform, our end-to-end security and compliance solution, gives you a real-time, holistic view of your threat landscape, and comprehensive capabilities for attack prevention and incident response