Vulnerable Voting Machines Yet Another IoT Device to Secure
The growth of internet-connected devices, including voting machines, means security pros must pay more attention to software vulnerability management.
By Kasper Lindgaard, Secunia Research at Flexera Software
This election season, voting machine security is probably not top of mind. After all, 75 percent of votes cast in the United States use paper ballots, and many electronic machines print a ballot to maintain a paper trail.
However, according to Pamela Smith, president of election integrity organization Verified Voting, Delaware, Georgia, Louisiana, New Jersey and South Carolina use electronic voting machines. If connected to a network, a voting machine could be yet another device that needs to be secured.
For instance, hackers could likely intercept signals from an electronic voting machine connected to the network, similar to how hackers could intercept a user's data when he or she connects to public Wi-Fi.
Earlier this year, the FBI issued an alert requesting that states contact their Board of Elections and determine if any suspicious activity had been detected in their logs, following the hacking of two state election boards, one of which resulted in data being stolen. This led to ongoing speculation as to whether tomorrow's election will be hacked.
The government is a hot target for hackers. The Office of Personnel Management thwarted 10 million confirmed intrusion attempts per month in 2015, and that is just one department of the government. Many organizations assume a data breach will occur at some point, and therefore take a proactive approach to security. It would be wise for the government to adopt a similar mindset.
IoT Security Issues
It is more crucial than ever that everyone, including governments around the world, understand how these connected devices are impacting our everyday lives and shifting how we interact -- and even trust -- the objects that voters may rely on during election season. When it right comes down to it, the Internet of Things (IoT) is about devices being controlled by software, connected to the internet, armed with sensors for reporting.
When voters enter their assigned polling place tomorrow, they may not consider the vulnerabilities at risk every time they use a connected device, including some electronic voting machines. With internet-connected devices, there will always be a risk from determined hackers that want to exploit vulnerabilities in the device and the applications on the device. It is not just governments that should be concerned.
Businesses fear exposing customers to internet criminals without a way to fix the problem. Indeed, the reputational damage and loss of trust resulting from these break-ins cuts far deeper than the cost of repairing the damage. According to PwC's 2016 Global Economic Crime Survey, executives considered reputational damage the most devastating impact of a breach, followed closely by legal, investment and enforcement costs.
All software can be vulnerable, whether it is powering an electronic voting machine that may be connected to a network, or enterprises. The cost is massive for organizations when a hacker is successful in gaining entry. An organization’s first line of defense to minimize criminal threats should be to shrink the attack surface by decreasing the number of vulnerabilities on its devices. Taking this preventative measure will considerably lower the likelihood that a hacker can do any real harm.
Software Vulnerability Management
This is why software vulnerability management is so important; it is preventative. The majority of successful attacks worldwide use known software vulnerabilities to access or escalate privileges. Once hackers have successfully exploited a vulnerability, they have a base to roll out their attack: moving around systems, gathering information and deploying malware (an umbrella term referring to a variety of hostile or intrusive software including computer viruses, worms, Trojan horses, ransomware, spyware, adware, scareware and other malicious programs) to steal or terminate critical information or cause disruption.
The problem created by vulnerabilities is more broad-based than most people -- and government entities -- realize. Flexera Software published its Annual Vulnerability Review 2016, presenting global data on the prevalence of vulnerabilities and the availability of patches. In 2015 alone, 16,081 vulnerabilities were recorded in 2,484 products from 263 vendors. These findings illustrate the challenge faced daily by security and IT operations teams trying to protect their organizations against security breaches.
However, there are clues in the data that provide insights into how to handle vulnerabilities. Of the 16,081 vulnerabilities discovered, 13.3 percent were rated as "highly critical" and 0.5 percent as "extremely critical." (Secunia Research at Flexera Software gives vulnerabilities a criticality rating based on the analysis of different aspects of the vulnerability. A description of criteria for ratings is available on page 27 of the Vulnerability Review 2016.) Moreover, 84 percent of vulnerabilities in all products had patches available on the day of disclosure.
This means that by implementing a proper software vulnerability management strategy, organizations can significantly minimize their attack surface and the likelihood of a successful breach.
The first element of that strategy is vulnerability intelligence, referring to all research data on vulnerabilities -- including historical data, attack vector, impact, criticality ratings and fixes. Vulnerability intelligence can be integrated with an organization's security strategy to support risk assessment. It can also be used by software vulnerability management technology to feed and enhance tools.
How is vulnerability intelligence derived? It begins with an investigation to determine whether the numerous vulnerabilities, identified globally from countless sources, actually exist. Once a vulnerability's existence is confirmed, evaluation of its criticality is vital so that an organization can determine which ones pose the bigger risk and require more immediate attention.
Vulnerability intelligence feeds into the three critical stages of the software vulnerability management lifecycle.
The lifecycle starts with the "assess" stage in which the existence of the vulnerability is researched and verified. Next, the organization needs to filter out the known vulnerabilities and focus only on those impacting the organization. That entails comprehensive asset discovery and inventory to determine which systems are potentially threatened by the verified vulnerabilities. Once the universe of known vulnerabilities is winnowed down to only the subset impacting the organization, vulnerability intelligence can be applied to determine which vulnerabilities are most critical and require prioritized attention.
The second stage of the software vulnerability management lifecycle involves mitigation. This is often where a handoff occurs between the corporate security team and the IT operations team. (I do not recommend a siloed approach between security and IT operations, however.)
The IT operations team typically handles patch management and will use its application readiness processes to identify and download the applicable patches. (Remember that 84 percent of vulnerabilities have patches available on the day of disclosure.) The patches then need to be tested (i.e. for dependencies) and packaged up and distributed to the correct machines. This mitigation process must be well managed and automated to avoid system overloads and failures.
The last step of the software vulnerability management lifecycle is verification, whereby the application of the patch or other mitigation technique is verified. Once mitigation is complete, the attack vector for that vulnerability has been eliminated.
Being Reactive and Proactive
Organizations, including the government, must be proactive and reactive in order to fight crime. They must be proactive to make sure it is as difficult as possible for a hacker to break into systems. They must also be reactive, prepared to detect and respond to incidents as they happen.
Many organizations focus on their reactive approaches, only dealing with the attack once it has occurred. However, it is exponentially more difficult to identify and respond to breaches when there are too many holes and cracks for hackers to exploit.
A proactive approach via software vulnerability management means investment in the people, processes and technology to effectively lessen the attack surface and minimize the likelihood that a software vulnerability can be exploited by hackers in the first place.
Whether you are a government entity, or any company that utilizes IoT devices, innovation almost always comes with inherent risks. Having the knowledge of vulnerabilities is paramount to guarantee security and integrity of data and systems. All organizations share the burden of taking reasonable precautions to help ensure their devices do not become easy prey for criminals.
Kasper Lindgaard is director of Research and Security for Secunia Research at Flexera Software. He originally joined Secunia Research as a security specialist in February 2011 and became head of Research in September 2012. He is in charge of developing and managing Secunia Research and responsible for the quality and reliability of Secunia Research, including the Secunia Advisories. He works closely with software vendors and the security community to ensure that Secunia Research is able to deliver the timely and accurate vulnerability intelligence that is the core of Flexera Software's Software Vulnerability Management business.
By Jeff Goldman
October 28, 2016
The flaw was discovered almost six months ago by researchers at Indegy Labs.