终结吧!机器学习的数学焦虑
How to not become part of the planet’s largest botnet
如何不成为地球上最大的僵尸网络的一部分
The surge of networked devices in the Internet of Things (IoT) increased the stakes for information security once more. But IoT sensors and actors also pose a threat towards existing information infrastructure. They can be used as remote-controlled drones in so-called Distributed-Denial-of-Service (DDoS) attacks. How do we ensure the trustworthiness of information systems on the Internet of Things? How do we protect against attacks of a global bot army?
吨他在物联网(IOT)互联网浪涌联网设备增加了对信息安全的赌注一次。 但是物联网传感器和参与者也对现有信息基础架构构成威胁。 在所谓的“ 分布式拒绝服务”(DDoS)攻击中,它们可用作远程控制的无人机。 我们如何确保物联网上信息系统的可信赖性? 我们如何保护自己免受全球机器人大军的攻击?
优缺点基于IP的网络 (Boon and bane IP-based networking)
The trend towards “augmenting” everyday objects into “smart things” and the business models based on them (interaction, monitoring, predictive maintenance, extra services) require the global networking of devices. To enrich IoT devices with value-added services, they have stepped out of the shadows of industrial production facilities and their proprietary protocols. Today, they communicate primarily via IP-based networks. — With distressingly high bandwidths. This is manifested in rising attacks on IoT devices, for example, routers, webcams, and smart TVs, but also refrigerators and (yes!) washing machines. Depending on the source (Mozilla, IDC, ABI Research, Gartner, Frost & Sullivan), the number of IoT devices in 2020 is estimated at between 26 and 40.9 billion.
将日常对象“增强”为“智能事物”的趋势以及基于它们的业务模型(交互,监视,预测性维护,额外服务)的趋势要求设备进行全球联网。 为了通过增值服务丰富物联网设备,它们已经走出了工业生产设施及其专有协议的阴影。 今天,他们主要通过基于IP的网络进行通信。 —令人痛苦的高带宽。 这表现在对物联网设备(例如路由器,网络摄像头和智能电视)以及冰箱和(是!)洗衣机的攻击不断增加。 根据来源(Mozilla,IDC,ABI Research,Gartner,Frost&Sullivan),到2020年,物联网设备的数量估计在26到409亿之间。
The majority of new application programming interfaces (APIs) are now developed using the REST architecture paradigm. With HTTP(S) as the standard protocol, the majority of devices can thus be accessed via the public Internet. This standardization — although desirable for developers — has exposed a huge attack surface for IT infrastructures.
现在,大多数新的应用程序编程接口(API)都是使用REST体系结构范例开发的。 使用HTTP(S)作为标准协议,因此可以通过公共Internet访问大多数设备。 尽管对于开发人员来说是理想的,但是这种标准化暴露了IT基础架构的巨大攻击面。
API calls now account for 83% of global Internet traffic and 40% of the vulnerability of web applications is not the user interface but the API, according to Akamai. Gartner expects APIs to account for 90% of the attack surface by 2021 and thus become the most common target by 2022.
据Akamai 称,API调用现在占全球Internet流量的83%, Web应用程序漏洞的40%不是用户界面而是API 。 Gartner预计 ,到2021年 , API将占攻击面的90%,从而到2022年成为最常见的攻击目标。
At the American parcel service USPS, 60 million user data records were available via an API for one year. An error allowed all logged-in users to perform a wildcard search of all user accounts and (analog) packages without further authorization checks. The bug thus occurred at the lowest implementation level, access protection.
在美国包裹服务USPS上, 一年通过API可获取6000万个用户数据记录 。 错误允许所有登录的用户执行通配符搜索所有用户帐户和(模拟)程序包,而无需进一步的授权检查。 因此,该错误发生在最低的实施级别,即访问保护。
In 2016, the malware “Mirai” (still active in modified versions) was responsible for the largest botnet and the largest DDoS attack. Due to the size of the botnet, the attack could be executed with a load of 620 Gbps, which could have eliminated many critical information infrastructures.
2016年,恶意软件“ Mirai”(仍处于修改版本中)是造成最大的僵尸网络和最大的DDoS攻击的原因。 由于僵尸网络的大小,攻击可能以620 Gbps的负载执行,这可能消除了许多关键的信息基础架构。
In the B2C market, convenience is often exchanged for security, as a result of which devices such as webcams and other “smart home” products are repeatedly delivered with standard passwords or without any encryption at all. Only half of the users change passwords, which leads to these devices being compromised in large numbers and then used for DDoS attacks.
在B2C市场中,通常将便利性换成安全性,因此,使用标准密码或根本没有加密的方式反复交付诸如网络摄像头和其他“智能家居”产品之类的设备。 只有一半的用户更改密码,这导致这些设备被大量破坏,然后用于DDoS攻击 。
With the growth of home offices, these consumer IoT devices are increasingly found in the same networks as work notebooks. This is accompanied by the loss of personally identifiable information (PII) and the compromise of enterprise information systems.
随着家庭办公室的增长,这些消费物联网设备越来越多地与工作笔记本位于同一网络中。 随之而来的是个人身份信息(PII)的丢失和企业信息系统的受损 。
The risks are inherent to the device characteristics. Limited computing capacity and diversity of hardware and software can prevent or complicate adequate security measures. Systematic maintenance of the devices with security updates and hardened components is still one of the biggest obstacles to maturity. Physical access control is an extra challenge that we already know from the mobile computing era.
风险是设备特性所固有的。 有限的计算能力以及硬件和软件的多样性会阻止适当的安全措施或使之复杂化。 使用安全更新和硬化组件对设备进行系统维护仍然是成熟的最大障碍之一。 从移动计算时代开始,物理访问控制是一个额外的挑战。
Finally, the protection of IoT devices is often neglected due to their low manufacturing costs. Write-offs for defective or lost devices can be part of a business plan. But the consequential costs of safety deficiencies rarely seem to be part of that assessment. An ecological problem is the forced replacement of products at the end of their life-cycle. Whether with or without the consent of the customer, some IoT devices are bricked (a.k.a. “death by software”).
最后,由于制造成本低,人们常常忽略了对物联网设备的保护。 注销有缺陷或丢失的设备可能是业务计划的一部分。 但是,安全缺陷带来的间接成本似乎很少成为评估的一部分。 生态问题是产品生命周期结束时被迫更换。 无论是否经过客户同意,某些物联网设备都是砖砌的 (又名“软件死亡”)。
物联网中的漏洞 (Vulnerabilities in the Internet of Things)
A saying in the IT security community says that the defender must defend all points, but the attacker can choose the weakest one. “Defense-in-Depth” thus describes the protection of all essential stations between the sender and receiver of data packets. This is to prevent a single weak point from compromising the entire system. Each new device category (most recently mobile devices, now IoT) can represent precisely this vulnerability due to its novelty.
IT安全社区中的一句话说,防御者必须捍卫所有要点,但攻击者可以选择最弱的一个。 因此,“深度防御”描述了数据包发送方和接收方之间所有必不可少的站点的保护。 这是为了防止单个弱点损害整个系统。 由于其新颖性,每个新设备类别(最新的移动设备,现在为IoT)都可以精确地表示此漏洞。
The Open Web Application Security Project (OWASP) has established itself as a source of practice-oriented guidelines, in which the most frequent vulnerabilities in web applications, APIs, server applications, etc. are collected. For IoT applications, this list has been aligned with the Baseline Security Recommendations for IoT of the European Union, Common Criteria and other standards. The most common IoT vulnerabilities according to the OWASP IoT Top 10 are (also see image above):
开放式Web应用程序安全项目(OWASP)已将其自身确立为面向实践的准则的来源,其中收集了Web应用程序,API,服务器应用程序等中最常见的漏洞。 对于物联网应用,此列表已与欧盟《 物联网基线安全建议》 ,《通用标准》和其他标准保持一致。 根据OWASP IoT Top 10最常见的IoT漏洞是(另请参见上图):
- I1 Weak Guessable, or Hardcoded Passwords I1弱可猜测或硬编码的密码
- I2 Insecure Network Services I2不安全的网络服务
- I3 Insecure Ecosystem Interfaces I3不安全的生态系统接口
- I4 Lack of Secure Update Mechanism I4缺乏安全更新机制
- I5 Use of Insecure or Outdated Components I5使用不安全或过时的组件
- I6 Insufficient Privacy Protection I6隐私保护不足
- I7 Insecure Data Transfer and Storage I7不安全的数据传输和存储
- I8 Lack of Device Management I8缺乏设备管理
- I9 Insecure Default Settings I9不安全默认设置
- I10 Lack of Physical Hardening I10缺乏物理硬化
The top 10 problems show the lack of maturity of the IoT ecosystem. Weak or standard passwords should not be among the most common vulnerabilities, nor the use of insecure network services (on the devices) or insecure interfaces to the rest of the ecosystem. Thus, the problems are by no means caused exclusively by the IoT devices themselves, but rather by the overall context of the application architecture. Thus, holistic solutions must be found, starting with the architecture and system design.
前十大问题表明物联网生态系统缺乏成熟度。 弱密码或标准密码不应该是最常见的漏洞,也不应该使用不安全的网络服务(在设备上)或对生态系统其他部分的不安全接口。 因此,这些问题绝不是由IoT设备本身引起的,而是由应用程序体系结构的整体环境引起的。 因此,必须从架构和系统设计开始寻找整体解决方案。
从一开始的安全性:设计安全性 (Security from the very beginning: Security-by-Design)
If possible, measures to increase security should be used in the system design and throughout the development process. The basis for this can be threat modeling. This provides an overview of the system boundaries and communicating individual systems. The components can then be analyzed individually and in combination as required, resulting in an assessment that reflects the actual risks.
如果可能,应在系统设计和整个开发过程中使用提高安全性的措施。 其基础可以是威胁建模。 概述了系统边界并传达了各个系统。 然后可以根据需要对各个组成部分进行单独分析或组合分析,以进行反映实际风险的评估。
The categories of risks that are not completely free of overlaps can be examined, for example, using the following well-known mnemonic devices (see Writing Secure Code 2):
例如,可以使用以下众所周知的助记符设备来检查并非完全没有重叠的风险类别(请参阅编写安全代码2 ):
STRIDE: Spoofing, Tampering, Information Disclosure, Elevation of privilege
STRIDE:S poofing,T ampering, 我载文信息d isclosure,特权电子 levation
DREAD: Damage potential, Reproducibility, Exploitability, Affected users, Discoverability
DREAD:d豪悦国际潜力,R eproducibility,E xploitability,A ffected用户,d iscoverability
The identified risks can then be countered with appropriate measures. At the beginning of the development process, these include constructive measures such as applying security-by-design principles, suitable architecture models and design patterns. But analytical measures such as code reviews and load and security tests also make a significant contribution to the security of the overall system.
然后,可以通过适当的措施应对已识别的风险。 在开发过程的开始,这些措施包括建设性措施,例如应用按设计的安全性原则 ,合适的体系结构模型和设计模式 。 但是,诸如代码审查以及负载和安全性测试之类的分析性措施也对整个系统的安全性做出了重大贡献。
物联网架构:不要重新发明轮子! (IoT Architectures: Don’t reinvent the wheel!)
Reference architecture models can help to design reliable and secure information systems. They provide definitions and a framework of how different aspects are connected. Usually, they also include patterns of how to solve the most common problems in the given application area. Some (mostly European) IoT reference architectures include:
参考体系结构模型可以帮助设计可靠和安全的信息系统。 它们提供了如何连接不同方面的定义和框架。 通常,它们还包括如何解决给定应用领域中最常见问题的模式。 一些(主要是欧洲)物联网参考架构包括:
AIOTI High-Level Architecture (HLA): Comprehensive reference architecture model on IoT and Big Data
AIOTI高级架构(HLA) :有关物联网和大数据的综合参考架构模型
oneM2M: IoT-specific middleware with platform-independent APIs (“IoT operating system” for gateways and servers)
oneM2M :具有平台无关的API(网关和服务器的“ IoT操作系统”)的特定于IoT的中间件
Reference Architecture Model Industry 4.0 (RAMI): Comprehensive reference architecture model for industry 4.0
工业4.0参考体系结构模型(RAMI) : 工业4.0的综合参考体系结构模型
ISO/IEC 30141: ISO standard for an IoT-specific reference architecture
ISO / IEC 30141 :针对物联网专用参考架构的ISO标准
Remarkable is the mutual reference of the standards, which makes it necessary to consider and weigh up the individual cases together. For example, the AIOTI architecture classifies itself as the manifestation of the layers in the RAMI model. oneM2M equally addresses an implementation-specific subset of RAMI.
标准的相互参照是非常重要的,因此有必要一起考虑和权衡个别情况。 例如, AIOTI体系结构将自身分类为RAMI模型中各层的体现 。 oneM2M同样解决RAMI的特定于实现的子集。
Due to the focus of the individual models on certain aspects and the omission of others, no clear mapping between the models is possible, of course. It must be decided in each case which model offers the appropriate framework for the corresponding architecture. However, the use of standards and reference models will most likely increase the security of IoT architectures and connected systems.
由于各个模型将重点放在某些方面,而其他方面则有所遗漏,因此当然不可能在模型之间建立清晰的映射。 在每种情况下,都必须确定哪种模型为相应的体系结构提供了适当的框架。 但是,使用标准和参考模型很可能会提高IoT架构和连接系统的安全性。
保护示例性物联网基础设施 (Securing an exemplary IoT infrastructure)
The figure below shows the components and their interaction in a typical IoT scenario with IoT sensors/actuators, a cloud backend and connected business applications with mobile devices. Each component and each interface in this architecture offers attack possibilities on the overall system. Attackers can use all layers of the OSI model. Accordingly, security must also be considered at all levels.
下图显示了典型的IoT场景中的组件及其交互,包括IoT传感器/执行器,云后端以及与移动设备相连的业务应用程序。 此体系结构中的每个组件和每个接口都为整个系统提供了攻击的可能性。 攻击者可以使用OSI模型的所有层。 因此,还必须在所有级别上考虑安全性。
After the hardware, this begins with the diverse operating systems, which should be hardened and up-to-date. At the operating system and container level, there are also isolation mechanisms (control groups, access control lists, sandboxes, etc.) that should be used.
在硬件之后,这始于各种操作系统,应对其进行强化和更新。 在操作系统和容器级别,还应使用隔离机制(控制组,访问控制列表,沙箱等)。
Furthermore, no unused services should be in operation that unnecessarily increases the attack surface. The use of proxies (IoT gateway, API gateway, cloud gateway, DMZ proxy) also offers the possibility of allowing only very specific data traffic to pass through to further systems.
此外, 不应使用任何会不必要地增加攻击面的未使用服务 。 代理 (IoT网关,API网关,云网关,DMZ代理)的使用还提供了仅允许非常特定的数据流量传递到其他系统的可能性。
Basic protection at transport level can be achieved for IoT sensors and actuators with unique, registered IDs and symmetrical encryption to the IoT gateway. The individual components communicate with each other via protocols. IoT-specific protocols such as CoAP, MQTT and AMQP, but also Kafka and REST/Http each have security features that must be implemented correctly. Established standard libraries and frameworks should be used as far as possible. It is generally not advisable to develop even simple security-relevant functions in-house if such libraries exist.
IoT传感器和执行器具有唯一的注册ID和对IoT网关的对称加密,可以在传输级别实现基本保护。 各个组件通过协议相互通信。 IoT专用协议(例如CoAP,MQTT和AMQP)以及Kafka和REST / Http均具有必须正确实现的安全功能。 应尽可能使用已建立的标准库和框架。 如果存在此类库,通常不建议在内部开发甚至简单的与安全性相关的功能。
The use of Web Application Firewalls (WAF) and Identity and Access Management (IAM) can help fend off attacks at the infrastructure level. DDoS attacks can sometimes even be detected and mitigated by features of the cloud infrastructure.
Web应用程序防火墙(WAF)和身份和访问管理(IAM)的使用可以帮助抵御基础架构级别的攻击。 有时甚至可以通过云基础架构的功能检测并缓解DDoS攻击。
Once the data has reached the back end, the authorization to access certain resources (data, services) should be recorded in policies. The set of rules contains the information, which roles are allowed to perform which operations (read, write) in which context (location, time, IP address, authorization objects…). This allows a fine-grained role-based access control (RBAC) to be implemented, which only grants access to authorized entities (roles, clients, services) as a white list.
一旦数据到达后端,就应将访问某些资源(数据,服务)的授权记录在策略中。 规则集包含以下信息:允许哪些角色在上下文(位置,时间,IP地址,授权对象...)中执行哪些操作(读取,写入)。 这样可以实现基于角色的细粒度访问控制(RBAC) ,该访问控制仅将对授权实体(角色,客户端,服务)的访问权限授予白名单。
Administrative controls for IoT are not much different from those of conventional information technology as listed in ISO/IEC 27010. Detective controls should be part of the monitoring and alerting concept so that suspicious behavior can be spotted and dealt with. The operation of the infrastructure also includes the replacement of defective IoT devices, the replacement of batteries and a concept for installing firmware and security updates. Data backup and data recovery are as much a part of the operation as the scalability of the platform when additional devices are connected.
物联网的管理控制与ISO / IEC 27010中列出的常规信息技术的控制控制没有太大区别。侦听控制应成为监视和警报概念的一部分,以便可以发现和处理可疑行为。 基础设施的运营还包括更换有缺陷的IoT设备,更换电池以及安装固件和安全更新的概念。 连接其他设备时,数据备份和数据恢复与平台的可伸缩性一样,也是操作的一部分。
替代方法 (Alternative approaches)
Large cloud computing providers offer platform-specific IoT solutions that are strongly integrated with the respective cloud ecosystem and thus partly contain SDK, IoT Gateway, Message Broker and IAM from a single source. Depending on the standards and protocols used, the risk of a vendor lock-in increases. But then again, you shouldn’t implement it yourself.
大型云计算提供商提供了特定于平台的IoT解决方案,这些解决方案已与各自的云生态系统紧密集成,因此部分包含来自单一来源的SDK,IoT网关,Message Broker和IAM。 根据所使用的标准和协议,供应商锁定的风险会增加。 但是话又说回来,您不应该自己实现它。
Another approach to security is to bake trust modules into the IoT hardware. A trust anchor at the hardware level makes it possible to validate the integrity of the hardware and software stack on the devices and thus provide greater security for communication.
另一种安全性方法是将信任模块烘焙到IoT硬件中。 硬件级别的信任锚可以验证设备上硬件和软件堆栈的完整性,从而为通信提供更高的安全性。
The International Data Spaces Association (IDSA) is also trying to solve the problem using trust anchors, but with a decentralized and platform-independent approach. The current IDS reference architecture describes a decentralized infrastructure of trusted and certified “connectors” whose integrity can be attested via a special communication protocol (IDSCP). This requires a central public key infrastructure and brokers for the semantically driven networking of the connectors. Once implemented, however, the concept could offer a trustworthy and secure infrastructure, especially for IoT scenarios.
国际数据空间协会(IDSA)也在尝试使用信任锚来解决此问题,但要采用分散且与平台无关的方法。 当前的IDS参考体系结构描述了受信任和认证的“连接器”的分散基础架构,其完整性可以通过特殊的通信协议(IDSCP)进行验证。 这需要用于连接器的语义驱动网络的中央公共密钥基础结构和代理。 但是,一旦实施,该概念就可以提供值得信赖的安全基础架构,尤其是在IoT场景中。
结论 (Conclusion)
Given the immaturity and explosive proliferation of IoT devices, there is now a considerable risk of attacks on information systems. This risk can be significantly reduced by well-known basic information security and additional IoT-specific security measures.
鉴于物联网设备的不成熟和爆炸性增长,现在存在相当大的信息系统攻击风险。 众所周知的基本信息安全性和其他特定于IoT的安全性措施可以大大降低这种风险。
In addition to a security focus in the development process, the use of uniform platforms, standards, and reference architectures can drastically reduce the cost of security implementations. Given the expected added value and the considerable risk for directly and indirectly connected IT systems, greater investment in the information security of IoT infrastructures justifies itself.
除了在开发过程中关注安全性之外,使用统一的平台,标准和参考体系结构还可以大大降低安全性实施的成本。 考虑到预期的附加值以及直接和间接连接的IT系统的巨大风险,对物联网基础设施的信息安全进行更多的投资是合理的。
翻译自: https://medium.com/swlh/the-bots-are-coming-2ea033674927
终结吧!机器学习的数学焦虑