I was just talking to one my old grad school buddies last
night on the phone, and we were both discussing just how fast this year has
gone. He mentioned that he still has
some shopping to do. So, this brings up
the topic of gifts for the Holidays.
True, everybody has their own style of shopping and they
know what their family and friends want, but it seems to come down to two
things: Gift cards and electronic
items. In terms of the latter, I have
stayed out of the loop of what the newest things are, except for what I see in
the Cyber headlines.
It seems like anything that has the term “Internet of Things”
(or IoT) branded into it, seems to be a popular choice. I
surmise that the reason for this is that it brings up images of conveniences,
and in some ways, it even gives one the image of stature, by keeping ahead of
the neighbors.
But honestly, while it may be great to have your coffee pot,
toaster, or even car started by Siri or Cortana, there are a lot of disadvantages
to it as well, especially from the standpoint of Cyber.
For one, by having so many interconnected devices in your
home (which gives birth to the name “Smart Home”) you are merely opening the
attack surface that much more for the Cyberattacker. For instance, many of the communications that
take place between your gadgets are still sent in what is known as “Plaintext”.
Nothing is encrypted.
Second, it is much easier for the Cyberattacker to launch remote attacks
against your gadgets, and even control them thousands of miles of away.
This is the fear now are seeing with Smart Cars and even the
latest versions of airplanes that have been produced by both Airbus and
Boeing. There is so much technology and electronics
that are packed into them that it is much easier now for a hacker to break into
them, and literally steer them off course.
Back in the days of traditional analog technology, this
probably would never have been a problem.
But now it is.
Now, there is even a greater problem. These IoT gadgets that you can get at the store
are now making their into the IT and Network Infrastructures of Corporate
America. This has given rise to an even
newer term, called the “Extensible Internet of Things”, or “XIoT” for
short. Here are some examples, that you
the CISO and your IT Security team be on the look for:
1)
Connections to the endpoint:
Although organizations are doing a
much better job of protecting their endpoints (which in my books are the points
of origination and termination of the network lines of communication), some are
still not, and the Cyberattacker knows this.
Thus, it becomes an easy point of access for them to enter quickly and
covertly. But now for example, suppose
your endpoints are well fortified, if you introduce an IoT device into your infrastructure,
it could disable what you have already worked so hard to made secure. Why is the case? Well, network security tools have been designed
already to be compatible with endpoint security technology. This is not the case with IoT stuff, because
there is hardly any security features installed into them to begin with. The moral of the story here is don’t connect
any device that you are not familiar with into your IT/Network Infrastructure. If you have to, always test the device and the
connections in a sandboxed environment first.
Technically speaking, this kind of attack, is known as a “Pivot Point
Attack”. Back in 2019, Microsoft witnessed
the first kind of this attack, where a Cyberattacker went from a VoIP system,
then to all of the printers in a company.
More information about that can be seen here:
https://msrc-blog.microsoft.com/2019/08/05/corporate-iot-a-path-to-intrusion/
2)
Data Theft:
When one hears this term, they
often think of theft from a database of PII datasets. While this is the traditional way of looking
at it, it is important to keep in mind that data can be anywhere, for example, even
in your copier, printer, or even digital fax machine. One of the industries most prone to this is
the healthcare one. Just about every
medical device that is used to conduct an examination on you will contain some
kind of data on you. Also, it is this
industry that tends to use more IoT based devices than some others. Because they are also connected to other medical
devices, the IoT stuff will also hold some sort of data within them. So in the mind of the Cyberattacker, why go something
that is harder to get into, like a CAT scan machine, when I can easily gain a
foothold with an insecure IoT device and exfiltrate data that way?
3)
A way to keep coming back:
Once a Cyberattacker has a found a
way in, they will want to stay in for as long as possible. Eventually they will leave once they collected
all of the prized possessions that have.
But will they come back again?
More than likely yes, but not immediately. They will probably go after other targets,
then come back. Also, given how easy it
was to penetrate through the IoT device, they will probably use the same entry
vehicle once again, to see what new things procured and deployed. Once again here, try not to use an IoT based device in your organization unless you
absolutely have to. It’s just one less
thing to worry about. Also, it could be
the case that the Cyberattacker could even find a home in the IoT device itself
to camp out in. These kinds of attacks
are known as “Persistence Attacks”.
My Thoughts On This:
There have been attempts by the states to introduce legislation
in order to make vendors instill a baseline of security into their
products. One example of this was the one
passed and enacted in California a few years ago, but nothing came out of it, because
it was deemed to be broad in scope.
As I have mentioned 2x times in this blog, if you can, avoid
implementing IoT devices into your IT and Network environments.
And if you have to, test them out thoroughly before they are
moved out into production. Also, remember
to change the default settings on them that fits your own security requirements,
do not rely upon the vendor settings, as the will provide no protection
whatsoever!!!
Also, IoT security deserves the same amount of attention
like anything else. It should not
receive any lower priority, rather, it should be given an elevated status.
No comments:
Post a Comment