IoT Archives - Cyber Secure Forum | Forum Events Ltd
Posts Tagged :

IoT

A new chapter in remote IoT security

960 640 Guest Post

By Keith Glancey, Systems Engineering Manager at Infoblox   

When the COVID-19 pandemic struck, businesses around the world found themselves forced to adapt quickly in order to survive. IT and security teams took centre stage, and were tasked with supporting a newly-remote network of employees and maintaining business continuity. Many companies emphasised ‘connectivity first,’ relegating security to an afterthought. However, as the dust starts to settle, remote work seems here to stay in some form. This has opened up a new threat for many businesses.    

Just as the pandemic has blurred the line between our professional and personal environments, it has also blurred the line between our professional and personal IoT devices– whether it’s a connected television, smart thermostat or a tablet connected to a work application. The increased use of personal devices is making the professional network vulnerable to attack, and so is the proliferation of IoT devices. With many employees yet to return to the office, it’s never been more important for businesses to assess and address the IoT security risks posed by our new reality.  

The remote rise of Shadow IoT 

Even before the pandemic struck, IoT security was a challenge. In fact, research discovered that one third (33%) of UK businesses believed there were around 1,000 unauthorised or non-business related IoT devices – also known as Shadow IoT devices – connected to their enterprise networks. These devices can open the wider business up to attack and also enable unsanctioned ‘lurkers’ to access any given network. One of the consequences of the rise of shadow IoT was the surge of 17 million cases ofdistributed denial-of-service (DDoS) attacks across the globe in 2020 alone, with reports highlighting a 250% increase of frequency over the last 3 years. 

As remote working has transformed the way that individuals are using their IoT devices, this threat has only increased. The average home today has 11 IoT devices connected to its network. And since IoT devices are notoriously insecure, this presents a serious headache for IT and security teams. Each of these devices provides a vector through which malware can enter an employee’s home network and then move laterally to infect the corporate network as well. Given that IT teams can’t easily enforce corporate security policies on devices that sit outside of their infrastructure, this is opening up the floodgates and putting businesses at increased risk from attacks such as phishing and malware.  

To add to this, many individuals are naturally less risk-averse at home. For some, using a work device to browse social media, shop or stream entertainment services has become the norm. Yet, combined with the threats posed by unsanctioned IoT devices, this use of unsecured Wi-Fi connections, unsanctioned applications, and browsers with insecure plug-ins has the potential to compromise the entire corporate network.   

Future-proofing 

Organisations must take this time to embrace a more strategic approach to security, rather than hanging onto a model that isn’t compatible with the cloud-first networks that remote work requires. Network architecture is no longer centralised on a physical campus, with a core data center into which users connect, and security practices need to reflect this. 

One effective way that IT teams can protect their network against shadow IoT threats is by increasing visibility. This is where DNS (Domain Name System) tracking comes in. DNS is a core network service, which means that it touches every device that connects to a company’s network and the wider internet. Because of this, it doesn’t rely on a device being authorised or known to the IT team. As a result, DNS has the power to see every connection point in the network, enabling IT and security teams to know exactly what each IoT device is doing at all times.  

To take it to the next level, businesses can merge DNS with DHCP (Dynamic Host Configuration Protocol), and IPAM (IP Address Management). This combination of modern technologies – known as DDI – can pinpoint threats at the earliest stages, identifying compromised machines and correlating disparate events related to the same device. DDI can also help teams automate the provisioning of security services to remote endpoints, removing the need to ship devices back and forth for on-site patching.   

As enterprises become more distributed and borderless, they need security to stretch across their entire infrastructure and protect users wherever they are located. Defending from the network edge will be critical in combating shadow IoT threats brought about by remote work and using modern technologies such as cloud-first DDI will enable organisations to stop and remediate attacks before they cross over from the home to the corporate network. 

To succeed, enterprise cybersecurity needs IoT scale

960 640 Guest Post

By Nigel Thompson, VP Product Marketing at BlackBerry

There are few things in cybersecurity that aren’t up for endless debate. Yet one thing that is universally agreed upon is that anything with an Internet address can and will be attacked. We’ve certainly witnessed this happening on a large scale with the proliferation of Internet of things (IoT) devices in recent years, and we’re likely to see the scale and complexity of these attacks escalate in the years ahead. And due to their newness on the security scene, IoT devices will cause large headaches for enterprise security during those years.

IoT, on the whole, remains a misunderstood risk. When many consider IoT security, what comes to mind first are usually “smart home” automation systems, such as thermostats, lights, doorbells, speakers, and other consumer devices. One concerning case last year saw cyber attackers take over a family’s smart home devices to blast music at loud volumes, talk to the couple through a camera in their kitchen, and crank their thermostat to 90 degrees. In cases like these, such attacks could arguably be considered more of a nuisance than a life-endangering event.

But once you step outside the home, a more profound and immediate danger lies in wait, in the form of industrial, or enterprise IoT. This IoT includes connected devices found in manufacturing, the food supply chain, healthcare, and building automation, among other verticals. Of course, security events involving consumer IoT devices are bad enough, but such attacks hitting enterprise systems and critical infrastructure can be devastating, or in the case of medical devices, life-threatening. For example, at a past DEF CON security conference, Jay Radcliffe, an ethical hacker and diabetic, demonstrated that it wasn’t that difficult to take remote control of an insulin pump and deliver a lethal dose to a patient.

According to a recently published report from research and consulting firm Frost and Sullivan, by 2025 there will be 67 billion new connected devices in the world, up from 24 billion in 2019. Enterprises in every industry need be prepared for that eventuality. Because the more Internet-connected devices come online, the larger the potential attack surface of the organisation. In the years ahead, that attack surface is going to continue to expand exponentially.

The Threats to Enterprise IoT Are Real

The threats due to enterprise IoT are significant and should not be underestimated. These connected devices generate an enormous amount of highly detailed data. Should this data be stolen, or its network flow disrupted through a denial of service attack or a targeted ransomware strike, the results could be highly destructive to business reputation and operational availability. Also, the data within supply chains that detail operational demands, production data and more will always have value to competitors.

IoT security is a challenge across verticals. According to Frost and Sullivan, the factory and industrial automation market will have nearly 10.8 million connected devices by 2025, while building automation will reach 30 million. Other verticals expecting substantial growth, according to the report, include connected cars and telematics, retail, healthcare and medical devices, and enterprise-issued and bring your own (BYO) devices.

“This will substantially increase the threat surface, which is reflected in the rapidly expanding threat landscape,” the firm wrote in their report. The total number of devices include recognisable endpoints, such as phones and tablets, as well as devices across nearly every other industry.

Of course, with these device deployments, there is great opportunity to improve operational efficiency, improve the lifecycle management of capital assets, provide real-time insight into the enterprise happenings, and engage with customers in new ways. But the security concerns are also real. The challenge is to manage the security risks so that these benefits can be realised, and the risks minimised.

Attain Control and Visibility Across All Endpoints

There are a number of steps that can be taken to ensure adequate IoT security. One step every organisation can take right away is to procure devices from manufacturers that develop their products with security in mind – baking security in from the ground up, rather than bolting it on afterwards. As part of that effort, organisations should make sure to have their security teams test any new hardware and software for security flaws and ensure the devices can be managed just like other endpoints.

Of course, while it would be ideal that all enterprise IoT devices ship securely and without flaws, that’s not going to be the reality. Design mistakes will be made over the course of bringing even the most secure devices to market, and most enterprises will similarly make deployment and configuration mistakes that create detrimental security ramifications. For instance, according to Frost and Sullivan, effective IoT security is complicated by how different business departments will independently choose to manage and secure their IoT devices in different ways. All organisations must be aware of this, and should prepare to effectively track, secure, and manage all newly connected devices across the enterprise in a uniform way.

One of the most important strategies to success will be not treating IoT devices as a discrete security challenge, but as part of the organisation’s overall endpoint security strategy. If security teams are to have the visibility and control they need, endpoint and IoT security management must be unified. That includes devices that run any operating system, such as Android™, Chrome™, Windows®, and macOS®. With fewer consoles, or ideally a single console, when managing all endpoints, security teams will have all the information they need to properly identify security threats and respond to potential breaches, and to more intelligently defend systems and data.

Enterprises can’t afford to wait long to centralise their IoT and endpoint security. The longer they wait, the harder it’s going to be to successfully consolidate, especially as IoT deployments accelerate and there are ever more devices on networks, for example, as a result of the explosion of remote working caused by the recent COVID-19 pandemic. Without a centralised console, decentralised information about security events — including attacks across domains — will be lost or overlooked, and teams will be forced to try to manually piece together their responses.

Here are a number of key attributes security teams should look for from their providers when consolidating IoT and endpoint security:

  • The ability to centrally manage users, data files, devices as well as apps
  • Compatibility with most leading endpoint operating systems
  • Ability to manage security configurations for things like access credentials
  • The ability to track usage patterns through comprehensive analytics
  • The ability to deploy across cloud and on-premises environments

The swift pace of IoT has created an issue of scale “where the size of the environment of endpoints, data, and threats is making the job of the CIO and CISO unmanageable,” as the Frost and Sullivan analysts put it. While that’s accurate, it doesn’t have to be true everywhere. By taking the necessary steps today to consolidate endpoint security solutions, enterprises can make certain that their security efforts reach IoT scale.

Meeting the Tests to get out of Data Lockdown

960 640 Guest Post

Digital transformation of any business has always been hampered by making sense of underlying data. And that data has been growing in volume at an unprecedented rate driven by the growth of IoT. It’s the perfect storm – the need for real-time information being increasingly distanced by the rate at which the data volume is growing. Businesses need insight, not just data, which means getting the right information, to the right person, at the right time. 

But the age-old problem remains today – how do you understand and see what data you have readily available, in a format that’s usable and that you can access at the right time? Peter Ruffley, CEO, Zizo, explores three aspects businesses must consider to get out of ‘data lockdown‘…

Data access 

There are a multitude of ways to store and access data, but a majority of businesses haven’t considered access to external data sources yet. When we begin to question how to enrich and improve data, one of the fundamental capabilities of this process is by integrating external third-party data sources, such as weather, crime or other open data sources. 

Businesses need to have an understanding of what they need to do to make the process worthwhile, and ensure they have the correct capabilities before they start. A common first approach for many organisations is to build from scratch and make it their own, rather than considering the buyer approaches where you look at what’s out there, explore the marketplace and transform existing data to use within the business, rather than starting from the ground up. 

If they can’t combine different sources of data quickly and cost-effectively together, they won’t move forward. It makes sense to digitally transform an organisation if it is going to make use of what’s already out there, as being able to tap in and share other work and insights will make the exercise worthwhile and cost-effective. With combinations of solutions available in the marketplace that can accelerate the process by providing the necessary building blocks, it’s time to transform the digital transformation process. 

Data responsibility 

There remains a disconnect between IT teams and businesses’ impressions about what it means to provide the data. If both parties are not aligned with the same aims of the business, the project could stall at the first hurdle. Instead, organisations need to bridge the divide and encourage stronger collaboration between all stakeholders. When businesses realise where those holes are in their structure, it’s key to get people involved to solve those challenges. 

This involves change on three levels; personnel, cultural and technological. Who’s responsible for this chain? Whose action is it? How do we bring these teams together? The business might be storing a lot of data, but how can it be accessed, interrogated and made useful? How will the business’ data goals be defined? 

Typically, the digital transformation initiative comes from the top in the organisation. In order to get your business on board, you have to make a very clear case of what the benefits are. Employees need to trust that improvements will be made for them by doing this, rather than just dictating the plan. Digital transformation is a change programme, which impacts all aspects of the business. You therefore have to approach it in the same way that you would approach any change project – with clear objectives and an agreed process of identifying how you’re going to get value from data. With a compelling case, you have a much better chance of carrying it through with buy in from all stakeholders. 

Data and objective identification:

You can’t embark on a digital transformation initiative without a concept – you’re condemning the project to failure if the business is not engaged properly with the process before you start. In order to yield business benefit from data, organisations must identify the areas that will realise the most benefits. Even if they’re hypothetical, there must be measurable ambitions in place or milestones for this journey, so that there is an understanding of what you’re going to do, and what you want to get out of it. Or if those ambitions weren’t achieved, why not? What steps need to be taken next time? 

Organisations have to be able to collect the data and assess whether they can achieve their business objectives from that data. But a goal of just ‘digital transformation’, ‘digitising data’ or ‘making more money’ will never translate into a concrete business case. Goals need to be specific and measurable in order to determine the project roadmap and for success to be evaluated. 

More importantly, you have to understand where the data is in your organisation and what it’s being used for, before you start the process of transformation. The whole supply chain needs to be aware of the transformation and the demands that are going to be in place. You’ve got to be very open about this process, because there will be people who you haven’t thought of that might be impacted by the changes you’re making.

With easy access, a connected team and clear objectives, companies can have a clear outline of what it is they set out to achieve in their digital transformation, how they expect to make this transition with the data available, and who can take on what role in this process. 

42% rise in companies reporting cyber attacks by foreign governments

960 640 Stuart O'Brien

In 2018, 19% of organisations believed they were attacked by a nation-state – That figure increased to 27% in 2019, with companies in North America the most likely to report nation-state attribution, at 36%.

That’s according to Radware’s 2019-2020 Global Application & Network Security Report, which found that more than one in four respondents attribute attacks against their organisation to cyber warfare or nation-state activity. 

“Nation-state intrusions are among the most difficult attacks to thwart because the agencies responsible often have significant resources, knowledge of potential zero-day exploits, and the patience to plan and execute operations,” said Anna Convery-Pelletier, Chief Marketing Officer at Radware. “These attacks can result in the loss of sensitive trade, technological, or other data, and security teams may be at a distinct disadvantage.”

Radware says the findings come at a time of heightened anxiety for security managers. Organisations are increasingly turning to microservices, serverless architectures, and a mix of multiple cloud environments. Two in five managers reported using a hybrid environment that included cloud and on-premises data centers, and two in five said they relied on more than one public cloud environment. However, only 10% of respondents felt that their data was more secure in public cloud environments.

As organisations adapt their network infrastructure to enjoy the benefits of these new paradigms (such as microservices and multi-cloud environments), they increase their attack surface and decrease the overall visibility into their traffic. For example, 22% of respondents don’t even know if they were attacked, 27% of those who were attacked don’t know the hacker’s motivations, 38% are not sure whether an Internet of Things (IoT) botnet hit their networks, and 46% are not sure if they suffered an encrypted DDoS attack. 

Convery-Pelletier added: “This report finds that security professionals feel as though the battlefield is shifting under their feet.  Companies are increasingly adding and relying upon new paradigms, like microservices, public and hybrid clouds, and IoT, which means the infrastructure is harder to monitor for attacks. These new technologies force a shift in security implementation into the development teams.  Security is often an afterthought as businesses march forward, and there is a misconception that ‘good enough’ is enough.”

In addition, the report also found:

The emergence of 5G networks. As the push for 5G grows, there exists an important opportunity to build security into networks at its foundations. Despite the increasing buzz around 5G networks, only 26% of carriers responded that they felt well prepared for 5G deployment, while another 32% stated that they were somewhat prepared.  

Be careful what you wish for in terms of IoT. 5G promises to advance organisations’ implementation of and the value they derive from IoT technologies, but that promise comes with a corresponding increase in the attack surface. When it comes to IoT connected devices, 44% of respondents said malware propagation was their top concern, while lack of visibility followed at 20% and Denial of Service at 20%.

Data loss is top concern. About 30% of businesses stated that data theft as a result of a breach was their top concern following an attack, down from 35% the previous year, followed by service outages at 23%.  Meanwhile, 33% said that financial gain is a leading motivation for attacks.

To read Radware’s ERT report, visit https://www.radware.com/ert-report-2020/

Top 10 IT security predictions for 2018

960 640 Stuart O'Brien

Ian Kilpatrick, executive vice president for cyber security company, Nuvias Group, offers his top 10 IT security predictions for the year ahead…

1. Security blossoms in the boardroom

Sadly, security breaches will continue to be a regular occurrence in 2018 and organisations will struggle to deal with them. New security challenges will abound and these will grab attention in the boardroom. Senior management is increasingly focusing on security issues and recognising them as a core business risk, rather than the responsibility of the IT department alone. The coming year will see further commitment from the boardroom to ensure that organisations are protected.

2. Ransomware has not gone away

Too much money is being made from ransomware for it to disappear – it won’t. According to Cyber Security Ventures, global ransomware damage costs for 2017 will exceed US$ 5 billion, with the average amount paid in ransom among office workers around US$ 1400. Companies can help prevent ransomware by tracking everything coming in and out of the network and running AV solutions with anti- ransomware protection. And, of course, you should do regular backups to a structured plan, based around your own business requirements – and make sure you test the plans.

3. IoT – A security time-bomb

IoT is a rapidly growing phenomenon which will accelerate in 2018, as both consumers and businesses opt for the convenience and benefits that IoT brings. However, manufacturers are not yet routinely building security into IoT devices and 2018 will see further problems generated through the use of insecure IoT. IoT is a major threat and possibly the biggest threat to businesses in the coming years. Unfortunately, it is not easy, and in some cases impossible, to bolt on security as an afterthought with IoT, and many organisations will find it challenging to deal with the consequences of such breaches. As IoT cascades through organisations’ infrastructures, it is likely to become the ultimate Trojan horse.

4. More from the Shadow Brokers

The Shadow Brokers, a hacker group which stole hacking tools from the American National Security Agency (NSA), created havoc in 2017 with the Wannacry ransomware episode. The group has already stated that it will soon release newer NSA hacking tools, with targets that might include vulnerabilities in Windows 10.

There will certainly be further episodes from them in 2018, so patch management, security and regular backups will be more crucial than ever. A major target of these hackers is the data that organisations hold, including PII (Personally Identifiable Information) and corporate data, so protecting the data ‘crown jewels’ inside the network will become ever more crucial.

5. GDPR – Have most businesses missed the point?

The arrival of GDPR in May 2018 will, of course, be a big story. However, many organisations are missing the main point about GDPR. It is about identifying, protecting and managing PII – any information that could potentially identify a specific individual. This will become more important in 2018 and there will be considerable focus on identifying, securing and, where required, deleting PII held on networks.

6. GDPR Blackmail – The new ransomware?

Unfortunately, GDPR will give a great opportunity to criminals, hackers, disgruntled staff and anyone who might want to do an organisation harm. They simply have to ask you to identify what data you hold on them, ask for it to be erased, and ask for proof that it has been done. If you can’t comply, they can threaten to go public – exposing you to the risk of huge fines – unless you pay them money. Watch out for that one!

7. DDoS on the rise

It is now possible for anyone to ‘rent’ a DDoS attack on the internet. For as little as US$ 5, you can actually pay someone to do the attack for you! https://securelist.com/the-cost-of-launching-a-ddos-attack/77784/. This is just one of the reasons DDoS threats will continue to escalate in 2018, alongside the cost of dealing with them. The dangers of DDoS for smaller companies are that it will leave them unable to do business. For larger organisations, DDoS attacks can overwhelm systems. Remember that DDoS is significantly under-reported, as no-one wants to admit they have been under attack!

8. Cloud insecurity – It’s up to you

Problems with cloud insecurity will continue to grow in 2018 as users put more and more data on the cloud, without, in many cases, properly working out how to secure it. It is not the cloud providers’ responsibility to secure the information – it is down to the user. With the introduction of GDPR in 2018, it will be even more important to ensure that PII stored in the cloud is properly protected. Failure to do so could bring serious financial consequences.

9. The insider threat

Historically, insider threats have been underestimated, yet they were still a primary cause of security incidents in 2017. The causes may be malicious actions by staff or simply poor staff cyber-hygiene – i.e. staff not using the appropriate behaviour required to ensure online “health.” In 2018, there will be growth in cyber education, coupled with more testing, measuring and monitoring of staff behaviour. This increasingly involves training and automated testing, such as simulated phishing and social engineering attacks.

10. Time to ditch those simple passwords

In 2018, simple passwords will be even more highlighted as an insecure ‘secure’ method of access. Once a password is compromised, then all other sites with that same user password are also vulnerable. As staff often use the same passwords for business as they use personally, businesses are left vulnerable. While complex passwords do have a superficial attraction, there are many challenges around that approach and multi-factor authentication is a vastly superior method of access.

IoT projects held back by security concerns

960 640 Stuart O'Brien

The majority (94%) of IT professionals from organisations that are undertaking Internet of Things (IoT) initiatives say they need to invest in it over the next 12 months in order to stay competitive – but they are facing significant barriers to adoption.

These obstacles include security concerns, the cost of implementation and commitment from the company’s leadership.

The findings are part of a major new report released by the Wi-SUN Alliance, a global association driving the proliferation of interoperable wireless solutions for use in smart cities, smart grids and Industrial IoT applications.

The research, which looks at attitudes to IoT, including the drivers, barriers, challenges and benefits, surveyed 350 IT decision makers in the UK, US, Sweden and Denmark. While all respondents come from organisations that are investing in at least one IoT initiative, just over half (51%) report that they have a fully implemented IoT strategy in place, while more than a third (36%) have one being rolled out. While enabling IoT is the second most important IT priority for the next 12 months, only just behind improving security, almost all respondents (90%) have struggled to implement a plan, with over a third (36%) saying they find it “very or extremely difficult”.

Security tops the list of major concerns, holding back nearly six in ten (59%), while cost of implementation is also a barrier, delaying around half (46%). More worrying is that, while 42% say that creating efficiencies for the business is an important driver to implementing IoT initiatives and 37% say the same for reducing operational costs, getting access to funding for projects is a problem, with a third (32%) admitting this is a barrier. The same amount struggle because of reluctance by senior executives in the organisation to commit to IoT projects.

As well as barriers, the research also highlights technical challenges that organisations are facing when delivering on IoT initiatives and processes. Security and safety tops the list at 63%, while data management (46%), network configuration (41%) and recruiting the right IoT skills and resources (39%) are also seen as technical challenges.

For implementation of smart city and smart utility solutions, proven security with multi-layer protection and continuous monitoring is considered ‘absolutely crucial’ for around half of respondents, while industry-wide open standards are also crucial (45% and 43% respectively).

The benefits of IoT are also widely recognised, with the majority of respondents citing better business efficiency (54%), improved customer experience (49%) or better collaboration (48%). Nearly half (45%) have seen lower costs and 41% higher customer satisfaction.

According to the Wi-SUN research, when organisations are evaluating which IoT technology to move forward with, 58% look for network topology and coverage, while communications performance (53%), industry standards support (52%), and power efficiency (50%) are also sought after. Around half look for reliability (47%) or scalability (44%).

“When it comes to the design, development and implementation of IoT projects, especially around smart cities and smart utilities, there are a number of issues that organisations are having to contend with and security is proving to be a particularly significant barrier,” according to Phil Beecher, President and CEO, Wi-SUN Alliance.

“The research highlights that more education is needed: there are many network options, but not all provide the features necessary for large-scale outdoor networks, as required by smart cities or utilities. For instance, unlike tower-based networks, such as LoRa, SigFox, Ingenu and NB-IOT, Wi-SUN Field Area Network (FAN) specifies a wireless mesh network, which not only supports higher data rates and bi-directional data transmission, but can also provide complete coverage with greater resilience and reliability. Wi-SUN FAN networks are also highly secure as only “vetted” devices can join the network, preventing compromised devices from causing disruption of essential services that may include public safety. It is essential that organisations understand the level of security and the associated risks provided by different network solutions, and choose the very highest security levels available for their IoT networks.”