New practice to focus on secure design and deployment of consumer, enterprise, industrial, medical, and transportation devices
London, UK. Rapid7, Inc. (NASDAQ: RPD), a leading provider of security data and analytics solutions, today announced that it has expanded its strategic consulting and security testing offerings to aid organisations in securely developing and deploying non-traditional internet connected devices, often referred to as the internet of things (IoT). The new practice area will help organisations think strategically about building security practices into product development lifecycles, provide thorough assessment and testing of potential weaknesses for both hardware and software, and offer forensic analysis for devices that have been compromised.
Compromised IoT devices can be used to amplify and launch crippling denial of service (DDoS) attacks against others. Recent cyber-attacks have taken advantage of IoT device weaknesses, most notably, the Mirai malware. In addition to securing IoT devices themselves, IT and security professionals are charged with defending their networks against this new threat vector.
“The risk posed by IoT devices has moved from theoretical to real-world. When we consider IoT, we’re no longer talking about a single or highly unlikely, targeted instance of a vulnerable device that leads to one compromised system or consumer. We’re now seeing large-scale attacks that leverage huge numbers of devices against extremely popular organisations,” said Deral Heiland, IoT research lead at Rapid7. “As a result, device developers and manufacturers are coming under increased scrutiny and heightened expectations. Their products are assumed secure, though many of these product developers are still learning the fundamentals of secure design principles.”
According to Gartner’s Internet of Things Primer for 2016, “by 2020, over 20 billion connected things will be in use across a range of industries.” While driving significant productivity gains for businesses and consumers, this exploding growth also creates new attack vectors for malicious attackers and presents increased risk. IoT devices not only create new opportunities for attackers to invade networks to steal information, they can also be hacked to gain access to physical spaces and assets, or even cause harm to users. As users become more dependent on the functionality of connected devices, the risk represented by loss of use or corrupted use becomes even greater.
Transportation specialty
Planes, trains, and automobiles often have a complex set of requirements. Rapid7’s deep expertise goes beyond understanding CAN, LIN, FlexRay, and other network protocols to provide assessments and recommendations that will not affect the product’s performance, but will solve manufacturers’ specific needs and concerns. Rapid7 works with original equipment manufacturers (OEMs) and tier suppliers to fit into development workflows.
Rapid7’s transportation offering will be led by Craig Smith, who joined the Company over the summer. Smith is the founder of Open Garages, a distributed collective of performance tuners, mechanics, security researchers, and artists. He is also the author of the “Car Hacker’s Handbook” and has developed many open source utilities to teach CAN bus protocols to students, as well as security penetration tools that can uncover vulnerabilities in vehicle and diagnostic systems.
“Rapid7 understands the transportation industry, the needs of its engineers, what methods work, and which ones do not – we’ve seen what happens when security isn’t implemented correctly or is considered too late in the process. We’re focused on identifying real risks to create custom solutions that integrate into what’s most important to the business, without compromising design,” said Smith. “Over the past five years, we’ve seen increased recognition for security research as a valuable part of the transportation development process. Manufacturers are working to better understand how software vulnerabilities impact the safety of their products – we’re excited to continue forward on this path,” he finished.
Consulting and assessment service areas
Rapid7 will offer the following services as a part of the IoT practice, across consumer, enterprise, industrial, medical, and transportation devices:
- Strategic Guidance: Specialist consultancy on how to develop IoT technologies with security built-in from the ground up. The consultants will work with industry experts and trade groups to help develop standards and best practices for IoT security and will funnel this expertise into engagements with IoT developers.
- Threat Modeling: Development of comprehensive threat models of your entire system that can evolve with your complete product lifecycle to help you identify and mitigate the most critical issues, as well as to document your product’s security posture.
- Device Design Consulting: Designing hardware is often the first step of a major project and can determine your limitations and weaknesses. The company offers consulting from the ground up so that hardware issues don’t become the Achilles’ heel of your software security architecture.
- Incident Response: After an attack, getting forensic information from anything more than device logs can be a non-trivial task. Rapid7’s hardware teams can assist in getting the information you need directly from a product.
- Security Testing and Vulnerability Analysis
o IoT Penetration Testing: Rapid7 penetration and system analysis testing goes beyond basic analysis to consider the whole ecosystem of the IoT technology, including the IoT mobile application, cloud APIs, communication and protocols, and embedded hardware and firmware.
o Hardware Testing: Rapid7 will examine the physical security and internal architecture of the device – including internal components – to determine the breadth and depth of its physical attack surface. The Company also provides practical advice to help improve and remediate identified issues.
o Protocol Testing: Rapid7 will assess and test communications to and from the device, including protocols used, the cryptographic security of encrypted transmissions, the ability to capture and modify transmissions of data, and fuzzing of the communication protocols, to determine the risk to an organization and clients. The Company provides actionable advice to prioritize and reduce risks uncovered.
o Firmware Analysis: Rapid7 experts extract and examine the content of the firmware to discover backdoor accounts, injection flaws, buffer overflows, format strings, and other vulnerabilities, extending analysis to the firmware upgrade process to ensure that public key encryption and upgrade functionality is also secure.
Responsible security research driving innovation in IoT
Rapid7 security experts have been widely recognized for their research in IoT. Having found security issues with internet connected insulin pumps, light bulbs, cars, toys, baby monitors, and more, the company is dedicated to using security research to better protect consumers and organizations through coordinated disclosure, clear communications, and jointly agreed upon mitigations whenever possible.
About Rapid7 Strategic Advisory Services
Rapid7’s Security Advisory Services apply industry expertise, data-driven analysis, and industry best practices to transform the way organizations manage security programs and empower more impactful business decisions. Our experts will help you answer critical questions to quantify the current state of your security, gain executive alignment, and put in place plans to deliver measurable improvement. Whether you need specific help improving the security of IoT devices, implementing breach response, or revamping a complete security program, Rapid7 has the knowledge, experience, and commitment to get you to success.
The company conducts more than 1,000 penetration tests each year, and its experts in threat modeling, incident detection, breach response, and security program strategy are featured speakers and contributors at major security conferences, including RSA, Black Hat, DEF CON, and SXSW.
[short_info id=’60232′]
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.