We see the explosion in connected devices happening all around us…. from self-driving cars to baby cams to former Vice President Cheney’s pace maker. And data is what fuels these connected devices. But how much do we know about the risks these devices pose to our sensitive personal, medical, and financial information?
How secure are all of these connected “things?” That’s the challenge. It’s not that IoT developers are unconcerned about cybersecurity. In many cases they build in a basic level of “secure” functionality. The problem is that developers do not understand the motivations of today’s cyber attackers, and how that drives their hacking capabilities. What is particularly unappreciated in the development community is the lengths to which attackers will go to find vulnerabilities and exploit them.
A classic case was the exploitation of 1.5 million web cams and other IoT devices to create a massive botnet that was then leveraged for a series of denial of service (DDOS) attacks about a year ago. Did the developers, or the executives at the companies who white labeled these cameras in their own products, imagine they would be used in this fashion? No, but that does obviate their shared responsibility in the resulting DDOS attacks which impacted dozens of other businesses, including Twitter, Pinterest, Reddit, GitHub, Etsy, Tumblr, Spotify, PayPal, Verizon, Comcast, the PlayStation network and hundreds of smaller companies.
The web cam botnet also graphically illustrates the even greater shared responsibility we all have as participants in this connected cyber ecosystem. The web cam developers expected that purchasers would change the default password for the camera when they connected it to the WiFi router in their home. In some cases, they even recommended that the default password be reset and provided instructions on how to do it. But how many consumers actually did? Probably less than 5%.
This issue extends far beyond web cams. Many customers of a technologically sophisticated cloud-based software-as-a-service (SAAS) provider lost sensitive data when an attacker found out the company used a recurring pattern when setting up the passwords for new client accounts. Did the SaaS provider instruct their clients to change the initial passwords? Yes, but a significant number of clients did not complete the change. This enabled an attacker with virtually no hacker skills to repeatedly log in to individual client accounts using the default password, and access and download sensitive data. The irony is that the attackers were virtually undetectable by conventional network monitoring tools because they appeared to be legitimate users accessing the clients’ data using the legitimate password. The sad dimension of this example is that there are readily available software modules that force a purchaser to reset the default password the first time they log in. So, who is at fault? The SaaS provider, or the clients who didn’t follow good cyber hygiene and change their passwords? The answer is probably both. In this connected cyber environment, responsibility is shared. We are all part of the problem, and must all be part of the solution.
The key to solving the cybersecurity conundrum is a fundamental increase in cyber security awareness. That’s why the White House and the Department of Homeland Security designated October as National Cyber Security Awareness Month (NCSAM) back in 2004. Does solving this problem mean corporate executives or software developers should be expected to understand the myriad of techniques hackers employ to attack their networks and products? Of course, the answer is “no.” This endeavor to better understand the risks a company faces on a myriad of dimensions has, however, created a new corporate role: the Chief Information Security Officer, or CISO. The CISOs and their teams provide companies an understanding of the cyber risks they face. CISOs are also versed in the techniques to counter those threats, and their security teams engage with other departments within mid- and large-sized companies to build cybersecurity into business processes and products. Think your organization is too small to afford a skilled CISO? Some cyber firms now offer “virtual CISO” services, where they can flexibly provide you CISO capabilities a few days a month.
There are seemingly endless technologies available to the CISO today to detect and counter cyber threats. One of the most fundamental is the cyber risk assessment, as a good risk assessment can not only provide a clear picture of the risks an organization faces; it also provides the basis for development of an effective cyber security program. Executives and boards are tasked with understanding risk, and they build their governance programs based on that knowledge. A cyber risk assessment provides the CISO an avenue to communicate the demands of the somewhat arcane cyber world to the C-suite and board in a language they can relate to and understand.
Fortunately, the firms that conduct these assessments can tailor the size and scope of the assessment to your business and the threats you face. If you haven’t had a network security or cyber risk assessment in the last year or two, consider it a dire need to get one now! It’s one of the most impactful things you can do to raise your cyber security awareness.
- How 1.5 Million Connected Cameras Were Hijacked to Make an Unprecedented Botnet, Lorenzo Franceschi-Bicchierai, Motherboard VICE, Sept. 29, 2016
- 10 things to know about the October 21, IoT DDoS attacks, Stephen Cobb, “welivesecurity,” Oct. 24, 2016
About the Author
Jim Jaeger is the President and Cyber Strategist for Arete Advisors. Jim has led network incident response investigations into some of the largest breaches to impact US and international businesses. He also helps companies recover from breaches and establish strong cyber security programs going forward. He is available to provide “Large Scale Breach Lessons Learned” presentations to a wide range of audiences.