Posted on

Internet of Things: Imperfectly Smart Devices

internet of things

Smart technology or IoT continues to shape both consumer and industrial domains. Achievable through the convergence of multiple technologies, which include machine learning, real-time analytics, commodity sensors, and embedded systems. Companies who miss an opportunity and or fail to innovate alongside IoT face the genuine possibility of being overtaken and fail over time.

 

IoT’s most significant trend in recent years is the explosive increase in connected devices, controllable over the internet. According to Fortune Business Insights, the global IoT market size stood at $250.72 billion in 2019. Projections indicate this number will reach $1.46319 trillion by 2027, exhibiting a Compound Annual Growth Rate (CAGR) of 24.9% during this forecast period. 2020 saw a rise in the following components of the IoT model; Networks and Communication, Sensors, Data Analytics (Cloud), and Applications, with different degrees of impact.

 

IoT brings a lot of benefits and new opportunities to businesses all over the world. Environmental sensors, machine learning capabilities, and artificial intelligence platforms provide various operational services for organizations across different industries. Although there are fundamental characteristics shared by most devices, the wide range of applications for IoT technology also means that the particulars can be entirely dissimilar from one device to the next.

 

Due to the large amount and variety of connected devices, IoT continues to implant itself deeper in our lives and society, making it another prime target for cyber-attacks. According to the IBM X-Force Threat Intelligence Index 2020, Financial services remain the topmost attacked industry, closely followed by the Retail sector. Ransomware and Magecart attacks were the most prominent attacks observed against retail and impacted at least 80 reported e-commerce websites in the summer of 2019 alone. Operational Technology (OT) targeting also increased by 2000% from 2018, with more attacks on Industrial Control Systems (ICS) and OT infrastructure than in the past three years.

Operational-Technology-Attack-Trends-2020-IBM-X-Force-Threat-Intelligence-Index-Report-1

Cyber-attacks are not new to IoT; the most common breaches are spyware, malware, and human errors. The latter is critical due to the increase in phishing tactics through email. Attackers have been impersonating consumer tech brands with tempting links to trick users into clicking malicious links. Consumer Technology giants such as Google & YouTube (60%), Apple (15%), and Amazon (12%), made up the bulk of targeted spoofed domains, where attackers hit due to the monetizable data they hold.

 

An innocuous IoT device should not be run unsecured. Therefore, both users and manufacturers need to accentuate and take cyber defense seriously. Thus, resulting in the real need to systematically understand the threats and attacks on IoT infrastructure to secure IoT devices against attackers. This article attempts to identify threat types, analyze, and describe intruders and attacks facing IoT devices and services.

 

Brute-forcing and Poor Passwords

IoT devices often require passwords for users to access and or control the device. According to Cybernews, the most common passwords worldwide are “123456”, “123456789”, “qwerty”, and the word “password” itself.  Weak passwords place your most sensitive information at risk and are similar to not using any password in the first place.

Weak Passwords

Manufacturers typically provide IoT devices with preset login credentials, making setup easier and consumer-friendly. These preset credentials are often openly available from a single web search and easily broken during brute-force attacks. Thus, IT administrators must replace the preset login credentials with significantly stronger credentials. The recommended way to go about this is to create quality passwords unique to the organization or the device and utilizing password managers.

An additional step would be to enable or implement two-factor authentication (2FA). Doing this instantly increases the security level by creating an additional lock that an attacker is less likely to access.

 

Improper Data Transfer and Management

IoT devices make automated decisions and carry out actions without requiring human-to-human or human-to-computer interaction. Thus, it is vital to the integrity of IoT applications that the source(s), data being fed, and produced are protected and verifiable at both ends. To achieve this, data must be encrypted from creation to consumption. However, this typically requires a higher level of encryption, cryptology, and intelligence than is easily achievable by the conventional one-way Transport Layer Security (TLS) encryption.

 

Furthermore, dynamic keys should be employed that ensure each data payload is encrypted with single-use keys that are not stored on the device itself or shared over the network, particularly over an insecure network.

 

Insecure Network

IoT devices require an active network connection to allow endpoints to communicate with each other over the internet. As a result, one of the initial and simplest attack methods a malicious attacker can deploy is to seek out weaknesses in running network services and the network communication model of connected devices.
training & skills acquisition
Attackers attempt to manipulate several vulnerabilities to obtain login credentials, communication tokens, and other identifiers that the Service Ecosystem uses to identify various endpoints. It is crucial to secure endpoints with industry best practices to protect data integrity, privacy, and Man-In-The-Middle attacks (MITM). One method involves encrypting device authentication data at the data-level paired to the public key. Consequently, any captured data should remain unreadable without the equivalent private key.

 

Unsecure Update Process

Firmware and other software patches are often required to be pushed out to IoT devices to prevent them from being compromised or left in a vulnerable state. Organizations have to upload these updates securely to each endpoint as soon as they are made available. Failure to secure access to the update, verify the sources, and integrity can have physical consequences, resulting in data loss and corrode brand reputation, introducing legal liability.

 

Even if vulnerabilities and loopholes are identified, not all IoT devices can be updated securely, and this may be due to the following reasons.

  • Wrongful or no firmware validation.
  • Updates are delivered in plain text or without encryption.
  • No anti-rollback measures
  • Users are not notified of available updates. This is a fairly common occurrence.

 

Implementing anti-rollback update mechanisms can prevent attackers from downgrading a device to an older software version with a known security vulnerability that the attacker can exploit.

 

Inadequate Privacy Protection

IoT devices, by design, collect and store a significant amount of users’ personal information. Unfortunately, not all manufacturers implement strong privacy or data management and protection policies. Those that do tend to begin by encrypting and implementing various layers of distinct checks and balances, providing data security between endpoints. When these security and privacy protection models are absent, improperly installed, or set up, glaring issues crop up.

 

One such example of improperly set privacy controls by the manufacturer was the TRENDnet Webcam Hack. TRENDnet marketed their SecurView cameras for various uses ranging from home security to baby monitoring and claimed they were secure, the FTC said.
Data Protection=However, they had faulty software that let anyone who obtained a camera’s IP address look through it — and sometimes listen as well. Thus for at least two years (2010 – 2012), the SecurView webcams allowed the transmission of user login credentials in clear, readable text over the internet! It did not just end there. Even their proprietary mobile app for the cameras stored users’ login credentials in clear, readable text, right on their mobile devices allowing anyone who obtained a camera’s IP address to look and sometimes listen through it as well.

 

Insecure Ecosystem Interfaces

The IoT ecosystem comprises all the components that allow consumers, governments, and businesses to network between their IoT devices. Some of these include networks, data storage, remotes, security, dashboards, and data analytics. Interfaces like a backend API that devices use to connect to a larger network ecosystem can also be compromised. A significant security concern to network operators and manufacturers is 5G network technology, which is expected to shoulder the connectivity load of IoT devices.

 

IoT devices, when integrated with centralized management platforms and legacy systems, are at high risk of being compromised by users who unknowingly introduce security vulnerabilities at the application layer. When such interfaces are compromised, it is often due to the previously mentioned reasons and improper traffic filtering.

 

Conclusion

Should an IoT vendor build its device or devices with insecure software libraries or other elements that are from an insecure source, then the device(s) will logically be insecure. Other means include using third-party software and hardware from a compromised supply chain or the insecure customization of Operating System (OS) platforms.

 

Manufacturers must comprehend that as more IoT ecosystems are being built, it is equally imperative to build security in, right from the very start. From sourcing components to firmware writing, initial installs, and throughout a device’s lifecycle. Thus, as more and more IoT connected devices come online, these and other yet undiscovered vulnerabilities need to take center stage.

 

Alongside poor management practices, targeted malware, and weak IoT architecture, IoT devices and technology can also be exploited through hard to detect zero-day vulnerabilities. Attackers continue to modify their malicious code to obfuscate better and spread within networks faster. Some of the better practices that should be applied to IoT technology include not over connecting your systems, not trusting a compromised device, particularly if it was compromised locally, and for vendors, frequently subjecting your code and hardware to third-party penetration testing (Black & White Box variants).

Consumer vs Enterprise IoT Attacks

In the future, a significant feature of IoT devices will be the ability to rapidly modify device configurations through remote tools and deliver innovative applications and capabilities. Additionally, all control updates, and packages, will include increased security and encryption to block attacks while driving more automated deployments.

 

The goal remains to enable a user at a local site with little to no background or understanding of IoT and IoT edge devices to connect a power cord, network cable(s), and walk away. Allowing the device to carry out self-provisioning and authentication automatically. Likewise, should a need to move the device occur, it can self-provision itself to its new location’s conditions and obligations.

 

Posted on

Endpoint Security and the Future of the Cyber Security Landscape

Establishing the Zero-Trust Cybersecurity Framework

In recent years, Cybersecurity has repeatedly been one of the leading anxieties for enterprises worldwide, and in 2020, that trend intensifies. Traditionally, it is easy to shirk the organization’s IT responsibilities and point fingers towards CIOs, CISOs, and the CTO. However, it would be imprudent not to acknowledge that most cybersecurity incidents have arisen due to employee negligence. As such, the culture of taking proactive security measures should be borne by the entire organization.

 

“Today, the only way to be sure your system is good enough from a security point of view is for the whole IT team to design everything with security in mind,” says Grossi. “It’s no longer okay to be only mobile first or cloud first; it’s got to be security first.”

Piergiorgio Grossi (Former Chief Information (CIO) and Digital Transformation Officer at Italian motorcycle-maker Ducati)

 

A glance at today’s cybersecurity landscape

Cyber attacks alongside Deepfakes continue to increase year over year. According to the ISACA’s Global State of Cyber Security Survey—a survey of more than 2,000 information security professionals from more than 17 industries—looks at the threat landscape, the measures security professionals employ to keep their organizations safe, and key trends and themes in the practice of security.

The cybersecurity landscape presents a positive and negative outlook. On the positive side, at least 50% of fully or appropriately staffed teams are more confident in their abilities to respond to cyber threats. While on the negative side, 62% of survey participants agree that cybercrimes are severely under-reported, and 52% believe that it is very likely their enterprise will experience a cyber attack in the next 12 months. Nevertheless, Information security professionals still believe that real progress is being made against common threats.

The most common threat actors being Cyber Criminals (22%), Hackers (19%), Malicious Insiders (11%), Non-Malicious Insiders (10%), Nation-State Attackers (9%), and Hacktivists (8%). The most frequent attack methods being Social Engineering (15%), Advanced Persistent Threat (10%), Ransomware (9%), and Unpatched systems (9%). Other noteworthy methods are Distributed Denial of Service (DDoS) and Mobile Malware, especially via android.

Fortunately, Google is making more headway with its latest privacy-focused features and increased efforts toward security updates. Android 10 (Pie) introduced granular controls over app permissions, while the upcoming Android 11 (currently available as a developer preview) further conveys their commitment to improvements in security with the implementation of temporary one-time access, allowing an app to use, for example, your phone’s location or camera. Android 11 continues this security-focused expansion and uses biometrics (Face, Iris, and Fingerprint data) to authenticate apps and services. Android 11 will also support digital driver licenses and other identification documents.

The ISACA survey also shows that organizations that take longer to fill in their cybersecurity and related positions report an increase in cyber attacks. Enterprises that took less than 2 weeks experienced 26% more cyber-attacks this year. Those who took around three months experienced 35% more attacks this year. Those who took six months or more experienced 38% more attacks. While those who were or still finding it hard to fill the positions experienced 42% more cyber-attacks this year.

 

Why Endpoint Attacks Occur

There used to be a distinct difference between the inside and outside of an organization, with infrastructures possessing clearly defined roles and boundaries. Organizations would have offices with computers and servers running on-site, creating a physical firewall, and ensuring that data often never leaves the company.

However, with the rise in telecommuting, more employees were asked or forced to work from home where there is no apparent, easily guarded line that can keep all the data in and attackers out of the system.

Worse is that some organizations still have a legacy viewpoint of the boundaries. Combine that with the BYOD trend, and all these lead to an increasingly expanding frontline. Causing security personnel to deal with relatively easy to hack employee-owned devices. This is further compounded by the fact that most employees expect convenience—many opting to use free and popular services to bring their data outside the company and with them. The majority of these services are infamously insecure, as have been pointed out by several hacks lately.

One such cyber attack is the recent discovery of an additional six malicious Android apps (11 similarly malicious apps were discovered in July) that slipped through the Google Play Store’s safety net to plant malware on Android devices. Another phishing attack targeted government and security organizations, using a legitimate Box page with Microsoft 365 branding to trick the victims.

The attackers were careful to appear quite convincing. Botnets facilitated spam and malicious emails with sender names and domains from a legitimate third-party vendor, asking readers to view a sensitive financial document. Viewers who clicked the link were led through a series of pages till they landed on a phishing page, built to resemble the Office 365 login portal, where they were asked to log in with their corporate credentials.

According to the cybersecurity awareness and data analysis firm, CybSafe and data from the UK Information Commissioner’s Office (ICO), 90% of the 2376 cyber breaches reported to the ICO in 2019 were attributed to end-users’ errors. This was a significant increase from the years prior, with 61% in 2017 and 87% in 2018. The cybersecurity company reported phishing accounted for 45% of all reported cases, making them the primary cause in 2019 in the UK.

There is a general lack of public understanding around basic secure behavior, such as spotting fraudulent links and phishing emails, sending the wrong document to the wrong person, leaving a computer unlocked, or plugging in unidentified USB sticks. However, there are two sides to this human error issue.

  1. Passive Attacking: End-users and endpoints have become the primary targets for cyber attacks. This is because their behaviors and powerful devices are relatively easier to exploit, making them attractive targets. Security to most end-users is an untaught concept, and one they typically leave to the “experts.” Yet said experts are rarely the most communicative or most persuasive of tutors and thus, fail to communicate the pitfalls of not being security first effectively. Additionally, BYODs rarely include superior security, such as multifactor authentication (MFA), a system that can prevent the vast majority of data breaches by stopping unauthorized clients from accessing a corporate device. This all leads to the end-user becoming the weakest link, triggering a Supply Chain Attack.
  2. Increased IT Infrastructure Complexity: This second aspect encompasses the increasing complexity and distinctiveness of security tools. From intrusion detection, network monitoring, and encryption to security information and event management tools (SIEMs). Typically, more robust options are welcome; the issue is that all of these disparate tools need to be integrated effectively and correctly aligned to provide adequate and effective security. This also means that security teams have to know each tool, their uses, thresholds, and experience to create appropriate baselines. Unfortunately, teams are not trained well enough in the real world and most likely implement the tools with their default configurations. Doing this allows for an easier rollout but a risky and unsecured move, nonetheless. Such settings were predetermined by the manufacturer and basically put usability before all else.
 

“Though shocking, these statistics shouldn’t provoke a negative reaction. Employees of course pose a certain level of cyber risks to their employers, as seen in our findings thus far. Nevertheless, people also have an important role to play in helping to protect the companies they work for, and human cyber risk can almost always be significantly reduced by encouraging changes in staff cyber awareness, behavior, and culture.”

Oz Alashe – (CEO and Founder at CybSafe)

 

Undoubtedly, cybersecurity has dramatically changed, and cybersecurity teams’ capabilities are being stretched past their limits. Fundamentally brought on by a ballooning attack surface blended with ill-informed and inappropriate consequential end-user behavior floated by some organizations that refuse to take security seriously.

 

Endpoint cybersecurity threats

Endpoint security is a critical aspect of the cybersecurity landscape, and it’s becoming increasingly important as the nature of work evolves. With more devices connecting to networks than ever before, from laptops and smartphones to IoT devices, the number of potential entry points for endpoint cyber security threats has multiplied. This makes endpoint cyber security a vital component of any comprehensive security strategy.

Endpoint cyber security threats are diverse and constantly evolving. They include malware, ransomware, phishing attacks, and zero-day exploits, among others. These threats can compromise individual devices, and from there, gain access to the broader network, leading to data breaches or system disruptions.

Malware and Ransomware: Malware is a broad term that encompasses various types of malicious software, including viruses, worms, and Trojans. Ransomware, a type of malware, encrypts a victim’s files and demands a ransom to restore access. These threats can infiltrate endpoints through malicious email attachments, infected software downloads, or malicious websites.

Phishing Attacks: Phishing attacks often come in the form of deceptive emails that trick users into revealing sensitive information, such as passwords or credit card numbers. They can also involve convincing users to click on a link or download an attachment that installs malware on their device.

Zero-Day Exploits: These are attacks that take advantage of software vulnerabilities that are unknown to the software vendor. Because these vulnerabilities haven’t been patched, they provide an open door for hackers to infiltrate systems and networks.

Advanced Persistent Threats (APTs): APTs are complex, stealthy threats in which an unauthorized user gains access to a network and remains undetected for a prolonged period. These threats are often state-sponsored and aim to steal information or disrupt operations.

To combat these threats, organizations need to adopt a multi-layered approach to endpoint security. This includes the use of antivirus and anti-malware solutions, firewalls, intrusion prevention systems, and endpoint detection and response (EDR) technologies. Additionally, organizations should regularly patch and update software to fix known vulnerabilities, and educate employees about safe online practices to prevent phishing and other user-targeted attacks.

 

The Future of the Cyber Security Landscape

The evolution of large-scale breaches symbolizes a growing trend of security violations both in numbers and their gravity. Data breaches recurrently expose sensitive information that often leaves users at risk for identity theft, ruin businesses’ reputations, and leave businesses liable for compliance violations. Cyber Observer, holistic cybersecurity management, and awareness solutions predict that damages from cyber crimes are projected to reach $6 trillion annually by 2021.

In other words, as enterprises gradually emerge from the current pandemic, we expect to see a surge in new demands. Reacting to these will require CIOs to formulate strategies based on two structural principles; understanding what customers need in a transforming landscape and leveraging technology to respond to these challenges in ways that acknowledge scope, cost, and scale objectives.

It is virtually impossible to write about the cybersecurity landscape’s future without citing Artificial intelligence (AI) and its role in securing endpoints. AI has existed for quite some time, and its use in our daily lives has become so common that we hardly ever stop to really think about it. From “Weak” AI programs such as “AlphaGo” developed by Goggle DeepMind that combined advanced search tree with deep neural networks, to Strong AI and machine learning systems used in flying Drones, Google Nest, and Tesla’s Autopilot. CIOs will carry on utilizing AI in various fields within cybersecurity. If anything, but to combat the numbers of attackers misusing AI and machine learning.

Looking to the future, the potential for new threat classes remains; ubiquitous and non-discriminatory in nature and to which there are currently no known catch-all countermeasures. Intrinsically, meticulous observations on malware features, abnormal acts, attackers’ attributes, and machine learning-based AI algorithms empower the defenders to deal with cyber threats, and in some cases, actually, go on offense. Regrettably, such observations also provide the attackers’ chances to invent novel attack techniques. Particularly as the risk of inputting false data and many other unsolved errors are relatively high in AI, defenders must always stay alert.

 

10 Simple Steps to Protect Your Business

Today, homeowners go beyond the typical door locks and automatic lights to a fully integrated security system that can prevent attacks and detect and respond to an intrusion and even accidents like a fire. Similarly, a business should deploy a multilayered cybersecurity strategy, one that includes.

Prevention: Firewalls, Anti-virus, Anti-malware, Password Management, Cybersecurity Awareness Training

Detection: SIEM, IDS, Threat Intelligence, and Log Monitoring

Response: 24/7 SOC Monitoring Response, Automated Threat Remediation, and Forensic Investigation.

These are all great tools, but in reality, not all businesses can afford top of the line and often proprietary security suites. Fortunately, you or businesses do not need to invest endlessly in new security tools to improve and elevate your current Cybersecurity posture and awareness for the reason that 80% of data breaches can be prevented with the following basic actions.

  1. Patching
  2. Regular vulnerability assessments
  3. Institute end-user security awareness
  4. Ensuring third-party vendor compliance
  5. Endpoint Detection and Response (EDR)
  6. Limiting access to your most valuable data
  7. Securing mobile devices and BYOD devices
  8. Proper device and or software configurations
  9. Conduct employee security awareness training
  10. Develop cyber breach prevention, detection, and response plan
 

Final Thoughts

Improving endpoint cyber security needs to be a top priority in 2020 and the foreseeable future. The border-less and seemingly non-discriminatory nature of cyber-attacks means it is of imperative importance that the cybersecurity industry shares their insights and work together to protect themselves and the wider population.

In today’s connected world, a breach of one organization can compromise an entire supply chain. Spelling disaster for businesses, eroding public trust and opinions, whilst leaving them in financial collapse, particularly with the General Data Protection Regulation (GDPR) in the EU. It is up to the legitimate security community to learn from each other, sharing what works and what does not. Most importantly, we all need to identify where to improve and ensure we leave no one behind.