How To Launch A Better Penetration Test In 2025: 4 Golden Tips

 

In my past 16+ years as a tech writer, one of the themes that I have written a lot about is Penetration Testing.  I have written man blogs and articles, even published an eBook (through Amazon) and an actual published book about, through CRC Press. 

I have even formed some partnerships with various Cyber vendors offering their Penetration Services as well. Some of them have ranged the gamut from doing manual testing to having it completely automated.

There is a huge debate about this, and in all the writing and discussions I have had about it, I am in the middle of it.  I think certain parts of the Penetration Testing process can be automated through Generative AI, but you need the human component as well, especially when it comes to communicating with and preparing the final report for the client.

But the bottom line is this:  In order to launch a successful Penetration Testing exercise, whoever is doing the offensive work (which is called the “Red Team”) needs to take the mindset of an actual Cyberattacker. 

Normally, a checklist or some kind prepared agenda is followed, with written permission from the client.  But given just how stealthy the Cyberattacker has become, and the interconnectedness of both digital and physical based assets, is simply having this enough? 

Again, there is debate about this, but the consensus from what I have seen so far is that this is “No, it is not enough”.  So, what can be done about it?  Here are some tips that I came across in a recent article:

1)     The Need for Creativity:

In this instance, and I really do hate using this tired quote is to literally “Think Outside of The Box”.  This simply means that the people doing the offensive work need to take a careful stock of what the physical and digital assets of the client are.  Once this has been done, do not prepare a checklist.  Instead, as the question of “Why?”.  “Why is this asset so attractive to me, from the standpoint of breaking into it?”  In other words, the actual Cyberattacker will know that the Red Team in this regard will too often be predictable.  So, it is important here to break away from this trend and become unpredictable.  This will yield even better results in the end.

2)     Avoid “Button Pushing”:

This is the actual term that was used in the article.  This simply means find that fine line between automation and human control.  Just do not simply rely upon Generative AI and canned scripts to do the entire job.  As the Red Team, you need to push the boundaries just a little bit more each time you conduct an actual exercise.  This is where group effort and having a clear line of communication plays a crucial role. From some of the Penetration Testers that I know of, they tend to be introverted and isolationists.  Break away from this mold and “bang heads together” with your team to accomplish this.  Remember two heads are better than one.

3)     Take Notice of Intention:

When things were On Premises, it was clear to find out what the intent hacker would be.  But with a lot of businesses now making it to the Cloud, this has become a murky area to figure out.  To crack this, try to figure out what the intent of an actual Cyberattacker would be.  But just do not look for the obvious things such as theft of passwords and Data Exfiltration, instead try to find those exceedingly small, minute points that the Cyberattacker would be most interested in tapping into.  In this regard, one of their main intentions of them is to launch what are known as Supply Chain Attacks.  This is where a malicious payload can be inserted into one tiny vulnerability and from there a cascading effect will take place that will impact hundreds or even thousands of victims.  We saw this in the Solar Winds hack, and even though CrowdStrike denies it was an actual attack, just one mistake made in their software update tool created havoc around the world.  Remember, the Cloud is still to some degree an undefined territory, especially in Public Deployments.  This is where the Cyberattacker is trying to find those very tiny cracks in which to slip into.

4)     Create The Culture:

This is the role for the CISO of an organization.  They must take the initiative to create a “Hacker Culture” from within their IT Security team.  Meaning, it is not just one person that should try to have this kind of mindset, but rather, everybody needs to.  One of the best ways to do this is to launch simulation exercises, and there are many tools online that you can use to do this.  Or even better yet, engage a true Cyberattacker that has now turned to the “good side”.  Have conversations with them as to what they hacked into in the past, why they did it, and what their primary intention was.  If you trust them implicitly, then it would also be best to have them engage in the actual Penetration Test with your team.  After all they have been in the trenches before, and what more assets can you have?

My Thoughts on This:

Well, there you have it, some tips to launch a better Penetration Test.  In the end, complete automation can only take you so far.  In fact, in my view, these tools are far more vulnerable to making mistakes than what a human being would do.  For example, what if they hit the wrong target by mistake?  Or, what if the results they provide are not even accurate?

The argument here is that with an automated tool, for just one flat annual fee, you can run multiple Penetration Tests as needed.  This is stands in sharp comparison to a manual one conducted by a human team, which can range anywhere from $30K-$40K per test.  But in the end, remember you get what you pay for.

How To Increase The Security Posture Of Your IoT Devices: 5 Point Checklist

 

I think over a week ago, I wrote a blog post about the security that goes along with the Internet of Things (IoT) devices, and especially giving them as gifts this Holiday Season.  In today’s blog, we are going to add onto that and talk about IoT security from the standpoint of business entities. 

There is of course a lot more at risk here, especially if an organization is large, and has employees located in different geographic locations throughout the world.  So, here is a quick checklist as to how you, as a CISO, head of an IT Security team, or even a business owner, can do a Risk Assessment:

1)     Take stock:

By this I mean conduct an inventory of all your digital and physical assets.  Then, rank them according to their degree of vulnerability, using a categorical scale, such as 1-10.  In this case, one would indicate least vulnerable, and ten would be the most vulnerable.  Anything in between would be an increasing level of vulnerability, or decreasing, depending upon how you look at it (such as 2-9, or 9-2, respectively).  Then out all those assets, not only identify the ones that are most vulnerable, but also confirm which one of those are of an IoT nature.  Then, decide upon the appropriate controls, and deploy them.  Or if you already have an existing set of controls, then you and your IT Security team need to produce a plan of action to upgrade them to decrease the level of vulnerability as much as possible.  It is important to note that if you have both legacy and recent systems, trying to determine the right set of controls could be more difficult.  In this case, your best bet would be to consult with an MSP or an MSSP to work this out for you.

2)     Power Consumption:

Because of their level of interconnectivity, IoT devices are known to be extremely hungry for both processing and consumption power.  Therefore, if you do make use of a Vulnerability Scanner, or even doing something in Penetration Testing, make sure that whatever you use is “lightweight” in design.  As a result, this will not put an extra burden on those resources that are powering the IoT devices, and you can still be able to pinpoint any weaknesses or gaps accurately.

3)     Updates:

Just like the importance of a Security Policy, having a reliable Software Update Policy is just as equally or if not more paramount.  This is the one area where most businesses fail, and as a result, they become the victim of a security breach.  Thus, it is important to create a regular schedule when you will be checking for the latest updates that come out from the vendors that you work with and decide upon a good time (preferably after business hours) in which they should be deployed.  But there is one very important caveat to be remembered here:  There could be times that even these patches and updates could have flaws in them.  So therefore, it is important to evaluate them in a sandboxed environment first, before installing them into production mode.

4)     Access:

Obviously, you want to limit access to those end users who need to have entrance into your IoT devices.  Some of the best ways in which to do this is to is to implement Multifactor Authentication, also known as “MFA” for short. This is where you deploy at least three or more different authenticating mechanisms to fully identify the person who wants to gain access.  In this case, try to eliminate using passwords, together, and use something that is much more robust, such as an RSA token, a Smart Card, in conjunction with Fingerprint Recognition and/or Iris Recognition.

5)     Attack Surface:

As a business owner or a CISO, it might be very tempting to connect as many IoT devices together as possible, because the thinking here is that this will increase productivity and offer seamless communications.  While there might be some truth to this, the bottom line is that with all this interconnectivity, you are simply expanding the attack surface for the Cyberattacker.  Through just one point of entry, a malicious payload can be easily deployed and have a cascading effect upon your entire IT and Network Infrastructure.  The moral of the story is just to connect what needs to be absolutely connected, and always keep track if you are adding more, unneeded connections.  This can be easily done by using the various Heat Maps in Microsoft Azure.

My Thoughts on This:

Well, there you have it, a quick list as to what you can do to mitigate risks to your IoT devices, and to fill in those gaps and weaknesses that you discover.  This all requires a 24 X 7 X 365 watch, and although this might seem impossible to do from the outset, you can automate much of this, especially by making use of a DIEM based platform.

How Even The Oldest Threat Vectors Can Bring New Opportunities

 

Very often, I get asked this question: “What is Cybersecurity”?  For those of us that are in the field, we know that this can be difficult to answer, depending upon the context you want to give it in.  But most of the people I come across are the average American citizens, trying to make a go of their lives. 

So, what I tell them is this: “Cybersecurity is the protection of digital assets, no matter where they are located at”.  Given this broad answer, and if I meet the same person again, a follow up question that I get asked is: “What kind of new things are happening in Cybersecurity”?

Well, once again, this can be a difficult one to answer.  So, depending upon the background of the person, I usually tell them that opportunities are usually dictated by what is new on the Cyber Horizon, meaning the threat variants. 

And, if they prove even deeper, I usually start with Phishing as an example.  I tell them that this is the oldest threat vector that is out there, having its originations back in the early 1990s. 

The first true Phishing attack then happened in the late 1990s, with the victim being America Online (AOL).  Then I usually get into how Phishing has become much more sophisticated over time, and just how it is close to impossible to tell if an email message is authentic or not. 

This is driven by ChatGPT, which almost eradicates all the telltale signs of a Phishing message.  If the conversation with this person goes on even deeper and longer, I give them further examples of this:

*The rise of Ransomware Attacks, especially those that are Extortion based.

*The boom in Business Email Compromise (BEC) Attacks (this is where a fake invoice is sent, and the Cyberattacker coerces the victim into wiring a hefty sum of money to an offshore account).

*The boom in Smishing Attacks, where a Phishing based text message is sent to your smartphone.

*And so forth.

So, what I am trying to get at here is that even the oldest of threat variants can still pose new opportunities for people in Cybersecurity as now fast track into 2025.  Another question I get asked is about Robocalls. 

I tell them if they ever get a phone call from a number that they do not recognize, it is best to simply delete it.  If it is real and important enough, the person making the call should leave a voicemail.  These kinds of calls are based upon the concepts of Social Engineering.

This is where the Cyberattacker preys upon the emotions of the victim, and once they feel that they are vulnerable enough, they will move for the proverbial “kill”.  This could range anywhere from having the victim tell them their login credentials, or even those people that are associated with them. 

Social Engineering also goes back an exceptionally long time, well before Phishing was born.  But today, it still presents new opportunities.  For example, from some of the Penetration Testers I know, they often engage in Social Engineering exercises by visiting the actual, onsite premises of the client.

They will then assume the role of a legitimate employee (of course they are not, though) and see how easily they can get into the client’s business, by trying to bypass as many of the security checks as they can.  Heck, on a podcast once, a Penetration Tester told me of a case where they actually launched a non-intentional against some people from within the client’s business.  Over time, they were able to build a very convincing dialog with the victims, who otherwise would have fallen prey if it was the real thing.

In fact, just some time ago, one of my best friends asked me about what Trojan Horses were all about.  To keep things simple, I told them that it was a form of Malware, which when deployed covertly onto your computer, will function as a legitimate application. 

But on the inside, is a different story.  It could be ready to set a malicious payload and detonate it at a preset time, or it could even be a be a Keylogging software that is covertly recording your keystrokes to capture your passwords.

I also told him that Trojan Horses have become so sophisticated that even the newest of the Anti-Malware software packages cannot detect them, because the attack is more targeted towards the CPU and memory of the device  I even mentioned that there is really nothing new about Trojan Horses, they go as far back as I can remember.  Heck, there were even around when the TRS-80 computers from Radio Shack first came out.

Even an old threat variant like this one pose new opportunities, especially for that of the Threat Researcher, who is trying to determine these kinds of signature profiles.  Finally, I have even been asked about the recent Crowd Stike incident. 

I usually tell people that this is technically known as a “Supply Chain Attack”, whereby a Cyberattacker can deploy a malicious payload through just one point of entry, which in turn, can impact thousands of people, even on a global basis.

If they are interested even further, they then ask me this: “How can so many people be impacted all at once”.  My standard answer for this one is that it is because of the increase of connectivity of just about everything. 

One backdoor that is left open can trigger a cascading effect.  But once again here, the issue of secure connections goes back a long time as well, especially with our aging Critical Infrastructure.  Some of the recent attacks have led to our water supply being almost poisoned, the flow of natural gas being completely disrupted on the East Coast.

My Thoughts on This:

In case you are wondering, my entire purpose of this blog is to simply illustrate that even the oldest attack vectors can still bring in new opportunities for an IT Security team and the CISO to probe into.  By doing this, critical thinking and research skills will be further refined.  In the end it is not all about Generative AI.  True, it is here to stay and will be forever, and it too brings its set of plusses and minuses to the table as well.

But now it is time that we get out of this hype and start getting back to basics in Cybersecurity.

Customer Retention After A Security Breach: 3 Golden Tips

 

I have written many times about the need for Incident Response (IR), Disaster Recovery (DR), and Business Continuity BC) Plans before.  A lot of confusion still exists among all three of these, so here is a brief differentiator amongst all three of them:

IR:  This is a plan that has been created to immediately put out the fires from a threat variant that has just been discovered and is causing harm to the business.

DR:  This is a plan to restore the mission critical operations after a business has been with the threat variant.

BC:  This is a plan that details how the business will come back to a sense of normalcy over the long term, after it has been impacted by a security breach.

Many CISOs did not fully realize the importance of these plans until the COVID-19 pandemic hit.  But of course, back then nobody ever predicted that we would have a 99% remote workforce.  So, you might be wondering why am I mentioning all of this?  Well, think about it.  The common theme here is not only about containing a security breach but dealing with the aftereffects of it.

And one of the greatest impacts of all of this will be felt by your customer.  Unless they are extremely loyal to you, the chances are that they will stop doing business with you and go to your competitor.  To a business owner, this of course does not seem fair, but to the customer their valuable PII datasets have been stolen, and of course, they will go somewhere else where they feel that it will be protected better.

To this extent, the only thing businesses do other than notifying them about the security breach is to offer free credit monitoring for a period of up to one year.  Whenever I wrote about this, I always wondered, can’t more be done?  Well, this morning, I came across an article that addresses this very issue.  Here are some of their thoughts:

1)     Go beyond the norm:

By this, I mean that a business should do more than simply do Penetration Testing, Vulnerability Scanning, and Threat Hunting.  While these are great exercises to do, another vehicle that should be explored is the use of Bug Bounty programs.  With this, you are holding a contest and inviting people to find the gaps and vulnerabilities in your applications, whether they are hardware or software based.  Whoever finds them and offers the best solution for remediation will then be awarded a cash prize.  But there is one caveat here:  You must be careful of who invites.  For instance, some of the worst of the breed can apply, especially the Black Hat hackers.  This kind of program can prove to be beneficial, as it takes out the biasness in finding those gaps and weaknesses.

2)     Quick reporting:

If a business has been impacted by a security breach, it is their fiduciary responsibility to alert not only their customers but other relevant key stakeholders as well.  But this must be done quickly, like within hours, not days or weeks.  But the problem here is that many businesses now resort to social media to let people know what has happened.  But given this era of disinformation, it is hard to know what is real and not.  Another option would be to place immediate phone calls and text messages, but once again, with Robocalls and Phishing based SMS messages, once again it is hard to discern reality.  In this regard, the only best option would be to send a letter out via snail mail.  Or,  the business could hire a PR team and let them professionally handle notifying the customers and key stakeholders.

3)     Offer more tools:

The business should also offer something more, like giving a free license to a Password Manager.  But of course, much more must be done here, for example, the IT Security team will need to train the customers in how to effectively use it to secure their passwords.  But to me, this sends a powerful message that despite what happened, you are trying to make amends with them.  The author of the article even mentioned giving a small financial compensation, such as $200.00 or so.  But to me, this serves no purpose whatsoever.  First, this amount is paltry compared to what the real damage will be if their PII datasets have indeed been heisted, and second, paying off people can in the end seem to be pretty offensive. 

My Thoughts on This:

It has been cited that security breaches have spiked up as much as 78% since 2023 (SOURCE:  We Can Do Better Than Free Credit Monitoring After a Breach).  Therefore, doing more to help the customer after the fact is going to be of paramount importance.  As the old proverb goes: “It can take months to get a new customer, but only seconds to lose one”. 

Probably the best way to avoid this scenario is to make sure not only that you and your IT Security team have those plans in place (as reviewed in the beginning), but that they rehearsed on a regular schedule, and having them updated with the lessons learned from each practice run.

In The Face Of National Division, We Must Be United For Cybersecurity

 

I have always held one philosophy when writing my bogs.  And that is, I never try to get political and with Cyber, it can very easily get that way.  But over the last couple of weeks, as I watch the live newsfeeds from CBS, NBC, and ABC, not just me, but just everybody around the world is hearing about the deep cuts that the next administration wants to take, and yes, although I don’t think it is all going to happen, just to even hear that is scary.

Yes, our Federal Government is extremely bureaucratic and slow to get things done, and in some ways, I applaud the efforts that are being thought of.  But going to extremes and threatening people is not the way to go about it all.  We need to be a United States than can come together and heal our divisions.  In my lifetime, I have never seen anything like this, nobody has. 

But one thing that has not been mentioned at all (and it is good news?) is that there has been no talk about slashing Cybersecurity budgets.  Although there is no centralized department for this, there are a lot of agencies that are mingled about here and there. 

Some typical examples of these include the National Security Agency (NSA), FBI, as well as Cybersecurity and Infrastructure Security Agency (CISA).  They are all devoted in some way to Cybersecurity, and making sure that threat intel is available to the public to keep us all informed.

One typical example of this is what is known as the National Vulnerabilities Database (NVD). This was started back in 1999, started by NIST.  While there are other threat intel tools that are out there, an incredibly unique feature about this one is that it has a huge repository of known IT software as well as hardware vulnerabilities, and even the signature profiles of known Cyberattacker. 

While the average American may not care too much about this, it is an extremely valuable source of information for those people that participate in Penetration Testing, Threat Hunting, and doing Threat Research.

The NVD originally started out as a research project of sorts, and it grew quite a bit over time until February of this year, when NIST suddenly cut off the funding for it.  There was no warning for this, and of course, it upset the workflows of a lot of people in Cybersecurity.  Because of this, the Federal Government found some financing in its ever-complex budget, which brought the NVD back to life yet again.

My Thoughts on This:

To begin with the financial support from NIST to the NVD was always underfunded.  Now while there may be some areas of the Federal Government in which certain things can be let go, Cybersecurity is not one of them.  We need to fund these agencies, like NIST, so that they can keep up with the valuable work they do in Cybersecurity.  Of course, Cybersecurity is always an underfunded initiative, especially in the private sector.

The common mentality here is that if a business has not been hit, we will never be hit.  This is far from the truth, because in the end, this will end up in a self-fulfilling prophecy.  Yes, money is needed to support Cybersecurity related efforts and projects in order to keep the hackers at bay, but as a consultant, I often tell people this one simple fact of life:  The cost of recovering from a security breach will far outweigh an cost of deploying the right tools and technologies. 

This is so true for small businesses.  They have this same kind of thinking as I just described, and if they do not take an initiative-taking stance, the costs of recovery will make them go bankrupt.  Because of this all the years of the sweat, blood, and tears that they put into growing their business will totally evaporate in just a matter of a short period of time. 

We are all prone to becoming a victim of a threat variant, nobody is ever 100% immune from it.  But the key is to take an initiative-taking stance now to mitigate this risk of happening to you personally, or even your business.

This quote nicely sums this up: “The misalignment between policy objectives and funding is a recurring issue that compromises the effectiveness of national cybersecurity efforts.”

(SOURCE:  Presidential Transition Task Force).

While I hope and pray that all divisions in the United States, until it does happen, we must now and forever stand united as a Great Nation when it comes to staying one step ahead of the Cyberattacker.

8 Golden Ways To Combat The Cyber Risks Of Open Source Platforms

 

Back in the day, when I was a graduate student at BGSU, I also worked full time for the university in their computer services department.  While my job was primarily involved with dealing with faculty, staff, and students about which IBM or Apple computer they should buy, I also dealt a lot on the hardware side as well.  But the one thing that I was lacking was a knowledge of software.

But that problem was soon more or less solved when met a fellow worker there. He became one of my best friends until his untimely death.  His name was Dr. Morgan Deters, one of the sharpest and most intelligent people I have ever known. 

He introduced me to what is known as Open-Source Software, especially in the way of Linux.  Although I did not get all of what he was saying (after all, he was a computer scientist), I did get that OSS has certain benefits over the Closed Source Platforms, such as Windows.

For example, I learned that it was free to use and distribute, and licensing was not an issue.  Also, you could collaborate with other people around the world in case you needed help with the coding.  Well fast forward from back then, 1999 to the present, which is almost 2025.  Today, we are seeing the explosion of OSS being used everywhere, especially when it comes to creating mobile apps and web-based applications.

But because of this, security has been very much lacking.  Probably the best example of this is the use of APIs.  You may be wondering what it is, but to keep things simple, it is the bridge between the backend (such as the database) and the front end (which is the Graphical User Interface [GUI]). 

If one were to try to develop this kind of code on their own, it would take a long time to accomplish.  So the idea of the API is to have some baseline source code in it, so that the software developer can tweak it to their own requirements.  The primary benefit of this is that of time savings, especially when a project must be delivered to a customer.

But because of the Cyber Threat Landscape of today, software developers are under the gun to make their source code as secure as possible.  But even with this, it is not done on a regular basis, either because they simply do not understand what Cybersecurity all is about, or simply they just do not care. 

Well, if you lead a team of software developers, here are some tips that you can employ to make sure that security is of topmost priority:

1)     Effective Communications:

No matter how large or small your team might be, instill an environment where open communications is fostered.  Let your software developers talk freely with one another about the separate modules that they are working on.  By taking this effort, you will also be eliminating silos in which software developers feel comfortable working in.

2)     Have Documentation:

Even though software developers hate writing (at least from the ones I know of), keeping detailed notes as to how the source code is being developed, and most importantly tested is of paramount importance.  That way, if an issue ever develops, you will have a record that you can fall back on.  In a worst-case scenario, you can always hire a technical writer who has experience in APIs to collaborate with your team to create this documentation.

3)     Have Ownership:

By this, hold each software developer both accountable and responsible for each source code module that they create.  In this regard, make sure that they are checking off the list when it comes to security stuff that they need to be testing for, and audit all of this.  If they fail to comply with all of this, then you need to ask them some serious questions as to why items were ignored.

4)     Be Initiative-taking:

Although this can be very much a subjective term in how you define it, when it comes to your software development team and using OSS, you must instill a sense amongst them that security is of topmost importance.  But as I have alluded to before, they simply may not understand just how Cybersecurity is.  One of the best ways to resolve this is to have training sessions to teach them about it.  Here are some topics to include:

Ø  Understanding the differences between weakness, vulnerability, and exploitation.

Ø  Explaining what a threat variant is, and the amount of damage that they cause, especially from a monetary standpoint.

Ø  Teach about the tools that they can use to find the holes in their source code, such as Penetration Testing and Threat Hunting.

Ø  Also teach them about the oldest threat variants and how they are being used today, such as Phishing, SQL Injection Attacks, Trojan Horses, etc.

Ø  Explain to your team the Cyber Risks that each kind of programming language brings to the table.

My Thoughts on This:

Some other, more technical ways in which you can make your software development team maintain a strong level of “Cyber Hygiene” as they use their OSS platforms and create the source code include:

Ø  Implement a DevSecOps Team:  This is an acronym that stands for “Development, Security, and Operations”.  You are taking members from each of these respective areas to make sure that the source code and APIs are as secure as possible before final delivery to the customer.  One of the greatest benefits of taking this kind of approach is that there will be more sets of eyes looking at the modules to make sure that the software development team is fully complying with the security requirements.

Ø  Teach your software developers how the customer will use the final product, and the risks they face in case a security breach occurs because of a flaw in the application that they have developed.  This is also called “Contextual Awareness”, and it can go a long way in terms of the huge risks that a threat variant can carry.

Ø  Consider using Generative AI as another means to check for the security of the source code.  While this should not be relied on in its entirety, it can help with the automation of the more routine and mundane tasks that the software development team may face.

One of the major weaknesses in the source code as it is being developed, is that “Backdoors” are often left behind by the software developer.  This is a point of entry for the developer to get into to run the needed Quality Assurance (QA) checks.  Many times, these are often forgotten about, and this leaves an extremely easy spot for the Cyberattacker to sneak into and stay in covertly for extended periods of time.  These also need to be checked.

Beware Of That IoT Device You Are Going To Give As A Gift!!!

 

As we fast track now into Thanksgiving and the Holidays, gift giving is going to be the norm yet once again.  To me, I think it should be plain and simple, and luckily for me, most of my close friends are happy with getting a nice gift card to their favorite restaurant. 

But for many other people, and especially those with families with kids, electronic items seem to the be premier choice for gifts.

While this may be nice, there is one thing you need to take into serious consideration.  And that is, Cybersecurity that is in the electronic item that you are giving.  A long time ago this was an unheard thought, but nowadays, you must be careful. 

One such instance in which you need to pay incredibly careful attention to is when you give a gift that falls under the realm of the “Internet of Things”, also known as “IoT” for short.  While some of us have a general concept of what it is, here is a technical definition of it for those who may not have heard of it:

“The Internet of Things (IoT) refers to a network of physical devices, vehicles, appliances, and other physical objects that are embedded with sensors, software, and network connectivity, allowing them to collect and share data.”

(SOURCE:  What is the Internet of Things (IoT)? | IBM)

Although the definition primarily refers to physical devices, it can also refer to those that are virtual as well.  Probably one of the best examples of the IoT is what is called the “Smart Home”.  In this set up, all your appliances (or just some of them) are interconnected together. 

So, when you get up in the morning, and want to start brewing that first cup of coffee, you can simply tell your digital assistant to do it, and it will start.

But despite these neat advantages, IoT devices, at least those that are used in the home environment, possess a number of Cyber risks to them, which are as follows:

Ø  If you have multiple IoT devices all connected, you are simply creating a large surface for the Cyberattacker to covertly penetrate. Once they are in one device, they can quite easily move into the others as well, causing havoc in your home.

Ø  The network communications that IoT devices are not encrypted.  They primarily use RFID transmissions, which can easily get hacked into with a simple network sniffer.

Ø  Any information or data that you have on your IoT devices are saved in a plaintext format.  Meaning, if you have your password stored on one of them, that is how it will exactly appear to the Cyberattacker after they get into it – your password will be in plain English.

Ø  Many of the vendors that manufacture IoT devices for the home typically do not take Cybersecurity into consideration in the design of it.  For instance, they often tell customers that simply relying on the default security settings they have in place are enough – which is a blatant lie.

Ø  Customers of IoT devices can easily fall prey to a scam – such as buying a fake product on Amazon or eBay.

But the good news here is that governments, and even here in the United States, are stepping up to the plate in creating and enacting legislation intended to help protect consumers.  Some of examples of these are as follows:

Ø  The passing of the Cyber Resilience Act by the European Union (EU).

Ø  The passing of the Cybersecurity Bill 2024 by Australia.

My Thoughts on This:

If you still decide to purchase an IoT device as a gift, consider these safety tips:

Ø  Make sure of the authenticity of the device you are buying.  Although it is quite tempting to get a cheaper one from Amazon or eBay, remember the adage that “you get what you pay for”.

Ø  If you decide to make this purchase online, make sure you do it on the ecommerce store of a reputable vendor.

Ø  Go through the Google reviews for those IoT devices you are interested in buying.

Ø  If possible, contact the vendor directly to see what kind of Cyber safeguards they put into the device.  If you do not feel comfortable with what they are telling you, then that should be a huge red flag to you to avoid getting it all together.

Ø  Once you have made that purchase, make sure to tell the person to whom you are giving it as a gift to make sure that they do not use the default settings, but rather put it in the highest thresholds that are possible.

Ø  Also, remind them of the need to download the relevant software patches, upgrades, and even the firmware onto the device as they come out.

Ø  Remind them not to store personal data on the device.  If a Cyberattacker can get hold of this, it will be sold on the Dark Web or worse yet, even be used in an extortion attack.

Just remember that in the end, trust your gut.  If something does not feel right, look for another IoT device that you are more comfortable with giving away as a gift. 

Cybersecurity, as it relates to the IoT, is not just confined to the home – it also has a strong bearing on the Critical Infrastructure as well.  But this will be examined in a future blog.