How to Protect Your University from Malware You’ve Never Heard Of
The IT infrastructure faces security challenges that Internet of Things (IoT) device manufacturers, vendors and users sometimes fail to understand. All too often, device makers don’t prioritize security testing or design in comprehensive security and privacy protections. They may not realize how quickly IoT botnets can spread or how they can camouflage the real targets of their attacks.
Botnets Wreak Havoc at Universities
Universities are particularly vulnerable to IoT botnet invasions. The following scenario is a cautionary tale, based on real-life incidents that have happened in higher education.
Campuswide, internet access was either slow or unavailable because thousands of discrete IoT systems, hosted by the IT network segment devoted to IoT, improperly obtained networkwide access through a different subnet. This resulted in the rapid-fire creation of hundreds of bogus Domain Name System (DNS) lookups and the elimination of legitimate lookups. The culprit was a new botnet that used brute force on weak passwords so the malware could control IoT devices, obtain updates and change device passwords to shut off systems that controlled everything from soda machines to light bulbs.
So, what can universities do — on their own and in league with solutions vendors — to protect against botnet assaults on their IoT devices?
Design and Build with Security Top of Mind
For starters, security must be a design consideration instead of an afterthought.
“Developers must start thinking about security and building it in,” says Bob Turner, CISO at the University of Wisconsin-Madison. “It should be a bake-it-in, don’t-bolt-it-on approach.”
That includes developing security controls that focus on encryption, device authentication, key management, virtual local area network (VLAN) segregation and code signing — and doing so in a timely, cost-effective fashion.
“We need to be able to deploy IoT endpoints and solutions on campus with speed and agility, make sure they work and move on to the next step,” Turner says.
Good Cyberhygiene Is a Monitoring Tool
The most fundamental element of security is keeping tabs on what endpoints are actually doing.
“If you’re not monitoring it, you’re not managing it,” says Turner. “You must have a routine for your IoT networks. That’s the only way you’re going to detect and mitigate any kind of botnet-type infiltration.”
Chris Roosenraad, chairman of the IoT Committee of the Messaging Malware Mobile Anti-Abuse Working Group and a director at Neustar, recommends that colleges keep three points in mind:
Botnet attacks on IoT devices — fuzzing ports, seeking out weak user credentials, obtaining generic user access on the way to getting privileged access — aren’t different from attacks that have hit the internet before.
It’s almost impossible to frustrate a highly skilled attacker with a specific target in mind, so focus on preventing attacks from someone who’s just looking for any vulnerable target.
Rather than try to plan for all eventualities with an overly complicated solution, develop basic protections that meet the 80-20 rule, where 20 percent of the work achieves 80 percent of the results.
Higher education institutions have uniquely sensitive IoT device–based operations that demand protection from breaches that would compromise the data involved and/or block the operations. For example, building card access systems fall in the first category, while the latter includes refrigerators that hold specimens at optimal temperatures and microscopes that transmit images.
Turner suggests VLAN isolation to properly house such systems. Separate VLANs also work because more isolation can lead to better management of threats.
“If I find out that a specific technology is now hosting a son of Mirai (the virulent botnet that has launched especially disruptive denial-of-service cyberattacks), then knowing where it’s installed on campus, I can manage the threat better from a cybersecurity perspective if I have better VLAN isolation,” says Turner.
Similarly, isolating specialized research lab equipment in this way safeguards both the transmitted data and the equipment itself from ransomware and other threats.
DNS Protection Solutions and Challenges
Specific aspects of the cautionary tale above, such as interference with DNS operations, are common problems for colleges because DNS is the first resource queried when a device wants to access a service over a network. To deal with this, IT administrators can rate-limit queries coming into the DNS infrastructure to prevent abusive levels of traffic from interfering with other legitimate uses.
Roosenraad suggests that colleges overprovision to ensure they can handle a spike in traffic. Administrators can also deploy blocking filters that detect devices doing anything out of the ordinary.
“If you have an IoT device that is a sensor that gauges the temperature of a building, there’s no reason that sensor should ever be making a query for CNN.com,” Roosenraad says.
Yet there are cost, scale and expertise challenges in implementing any of these options. That means institutions often have a decision to make, in Roosenraad’s view.
“Do they look to bring those resources in-house? Do they take advantage of the growth in cloud computing and outsource it? Or do they potentially pay for software that traditionally was free and not quite as feature-rich but fully capable of doing what they needed in the past?” he says. “It’s no longer quite as easy to do, and that’s just the nature of the beast these days.”