As Etienne Greeff explains, the IIoT explosion is coming, and enterprises need to protect themselves
In the past few years, IT has changed in a near immeasurable way. From cloud platforms, to virtual desktop infrastructure (VDI), and mobile technology enabling remote working, organisations are harnessing technology to drive innovation and growth using big data and AI. Alongside this, the Internet of Things (IoT) is also having an impact on business. A key question, though, is how do we go about securing these aspects of business?
A rapid shift in security thinking is required, and at its forefront must be the idea that there is no longer a traditional corporate perimeter. Instead, IT leaders must now focus on the endpoint to effectively mitigate risk, and work within the new and rapidly evolving threat landscape they find themselves in. This does, however, come with its own set of challenges.
A new threat model
Unfortunately for the enterprise, the easiest way to infect a network with ransomware, steal data, or go on a crypto-mining spree, is via the endpoint. The first port of call for an attacker, these endpoints are now becoming ground zero for major attacks on enterprises worldwide, with reports revealing that malware-infected endpoints have increased over the previous 12 months for 53 per cent of companies. What do these endpoints all have in common? It’s that they are invariably controlled by the weakest link in a company; its employees.
Phishing, therefore, is perhaps unsurprisingly being seen as the modus operandi for spreading malware and cultivating credentials on the way to harvesting corporate data. In an incredible 93 per cent of data breaches, phishing has been involved in some shape or form. Phishing isn’t favoured all the time, however. Brute force decryption of passwords and automated ‘stuffing’ of credentials are also used to crack accounts. This isn’t taking into account the newer forms of file-less malware being used to get around the more traditional endpoint filters – these kinds of attacks rose by a disturbing 94 per cent in the first half of this year.
The Internet of Threats is here
What this amounts to is that organisations must get a good grip on endpoint protection through the proper allocation of cybersecurity resources. There is, however a bigger threat looming. This summer, around 60 per cent of Black Hat USA delegates said they were more concerned about IoT security now than they were in 2017. With Gartner estimating that that there will be over 20 billion ‘things’ in use by 2020, with over seven billion in business operations alone – it doesn’t take a huge leap of faith to see why. Don’t forget that these ‘things’ can range from IoT devices designed to boost efficiency on the factory floor, to smart CCTV cameras and factory maintenance systems. Even smart home security devices such as door access systems and home security cameras come under this umbrella.
Together, the corporate attack surface will become larger than ever before. Many of these devices are often not designed with security in mind and many IoT manufacturers might not even have software patching processes and vulnerability management programmes in place at all. Yet these endpoints are always on, can be connected to a corporate network, and become a nice open door through which attackers can infiltrate. Many of them may not have even been approved by IT departments. That smart TV in a factory boardroom or staff room? It may well be covertly recording any and all conversations taking place – corporate espionage at its finest.
Spyware, however, isn’t the only threat to exposed IoT endpoints. Devices could equally be hijacked to become an access point into the wider corporate network or become a remotely controlled industrial sabotage tool. They could even be compromised and become conscripts to launch DDoS attacks, crypto-mining and spam campaigns, amongst other examples. Whilst this may not necessarily harm compromised organisations, the consequences are huge. The Mirai botnet attacks in 2016 were made possible through this very process – devices were secured only with factory default log-ins. Mirai resulted in DDoS attacks which took down Twitter, Reddit, Netflix and others.
The FBI even went as far as to issue an IoT security alert, with a warning that everything from NAS devices to routers and IP cameras were at risk, with those in developed nations being classified as ‘particularly attractive targets because they allow access to many business websites that block traffic from suspicious or foreign IP addresses.’
The new security debt
What this boils down to is that when an IoT device is bought for the enterprise without adequate testing and due diligence, cybersecurity debt is inherited from the vendor’s own cost savings and short cuts. This quickly generates a lot of monetary equivalent deficit, as it is multiplied by hundreds or thousands of IoT endpoints across the organisation – leaving the business with a real problem. This isn’t simply scaremongering; this is a real-world problem – 21 per cent of those same Black Hat USA attendees claimed to have found an IoT device within their organisations that had been compromised or involved in a breach.
So, what can IT security leaders do? Prior research is crucial. Research your new IoT vendors – especially their policy on vulnerability disclosure and management. Luckily, the BSI has introduced a kitemark for IoT and IIoT devices which includes enterprise and ‘enhanced security’ categories. This may well lead to an improved base standard of security across the entire company, making it easier for IT buyers to spot the best devices from the companies that adhere to this new set of standards. Government is also doing its part, with the National Cyber Security Centre (NCSC) providing guidance for developers.
This doesn’t, unfortunately, do anything about the already crippling strain placed on IT security teams. The IoT revolution will greatly increase the patch workload, whilst advanced endpoint security features, such as creating sandboxes, require hands-on time to configure and manage – time that these teams do not have. So, what to do? The answer could be outsourcing security management, leaving IT teams to perform more business-critical activities, rather than focusing on an increasingly dispersed and growing endpoint estate.
Increasingly, this is the best method to minimise security risk amid an explosion of endpoints, new and strict European data protection regulations, and boardroom noise that demands digital transformation.
Etienne Greeff is CTO and co-founder, SecureData, a leading cybersecurity services and solutions provider operating throughout the UK and selected overseas markets with revenues approaching £50m and over 210 employees. The group provides a comprehensive range of professional, support and managed cybersecurity services that assess security risk, detect security breaches, protect customer environments and respond to specific security incidents. SecureData’s consultancy arm SensePost includes some of the world’s most preeminent security experts who in addition to advising customers, participate in defining security standards, provide regular research for the benefit of the industry and advise national governments and defence organisations.