Why consumer IoT security is now a business problem
This article originally appeared in Issue 10 of IT Pro 20/20, available here. To sign up to receive each new issue in your inbox, click here. Given the recent shift to mass remote working, the average “office” is now full of more internet-connected devices than ever, from AI-powered smart speakers and video doorbells to phone-controlled light bulbs and robot vacuums. While these devices have allow
ed us to automate everyday tasks and, ultimately, become more productive, they’re also becoming a growing headache for businesses. Although normally these consumer-facing devices wouldn’t be a major worry for CISOs, they’re quickly becoming a concern. As a result of the ongoing COVID-19 pandemic, and the UK government’s recent u-turn on remote working guidance, employees are using their household Wi-Fi more than ever to log onto work computers and carry out sensitive tasks. This is, in most cases, the same network that these Internet of Things (IoT) devices are also connected to, and that could be leaving corporate networks vulnerable. “The networks and security tools staff use at home are likely to be far less secure than those in the office and IoT devices add an extra layer of complexity,” Jamie Akhtar, CEO and co-founder of CyberSmart, tells IT Pro. “Home office networks are 3.5 times more likely than corporate networks to be infected by malware. There may even be a psychological element to this; 52% of employees believe they can get away with riskier behaviour when working from home.” Shadow IoT According to Statista, consumer electronics will account for 63% of all installed IoT units in 2020. Given our homes now double-up as our places of work, these innocuous devices are beginning to infiltrate corporate networks. Recent research from Palo Alto Networks revealed, for example, that a staggering nine in ten UK businesses reported a rise in the number of IoT devices connecting to their networks over the last year. While, on the face of it, this doesn’t appear overly problematic, when you consider the security problems that surround the Internet of Things (IoT) the danger becomes more clear. Cyber attacks against these innocent-looking devices are on the up (research from F-Secure reveals a 300% increase in 2019), and these attacks can have devastating effects; take, for example, the infamous Mirai botnet, which was designed to exploit vulnerable IoT devices and crippled several high-profile services back in 2017. SEE MORE Why is IoT security still such a problem? SEE MORE What is the Internet of Things (IoT)? SEE MORE IT Pro 20/20: A quantum leap for security What’s more, research shows that 15% of IoT device owners still use default passwords, so chances are high that most businesses have at least one employee with a vulnerable device. Larry Trowell, principal security consultant at Synopsys, comments: “While you may think ‘what information could anyone possibly get from attacking my coffee machine?’, if it’s on the same network as your home or work laptop, then the answer is ‘quite a lot.’ A perfect example happened in 2018 when a Las Vegas casino was breached by way of a smart thermostat which had been added to the secure network. This allowed hackers to access the main systems using the thermostat as the access point. “Any one of these devices could be used as an access point for an attacker wanting to gain access to your home network and through it, potentially, also the network of your employer.” Lou Morentín, VP of compliance and risk management at Cerberus Sentinel, sounds a similar warning. “Users working from home are likely going to be connected to their home Wi-Fi and internet connections,” he says. “The security of these networks is often much less comprehensive than a corporate environment and can open the remote worker’s computer and data sent over the network to attack. Many homes have ‘smart appliances’ or other IoT devices that are regularly compromised at scale by cybercriminals. “Attackers could leverage the advantage of being on the same network as the remote worker with attacks that would normally require them to have already compromised a computer network such as ARP spoofing, name resolution poisoning or other man-in-the-middle techniques.” Fixing the IoT problem Although IT and security teams are currently focused on adapting their software and infrastructure to cope with the fact the majority, if not all, of their employees are now working from home, the issue of IoT security often isn’t at the forefront – nor was it prior to the pandemic. Research from the Neustar International Security Council found that 48% of organisations had been the victim of an IoT cyber attack in 2020, with just over a quarter (27%) feeling ‘very confident’ that they would know how to respond to such an attack. Rodney Joffe, senior vice president and senior technologist and fellow at Neustar, warns: “Solving this problem, then, is not as simple as enterprises may have first thought. To guard against the risk of being breached as a result of consumer IoT devices being compromised, businesses should ensure they have a considered, up-to-date and always-on security strategy in place that takes into account the full range of IoT devices connected to a network. “In addition, educating the workforce on the cyber threats stemming from at-home smart devices and the importance of best practice cyber security behaviour is crucial. This should include encouraging employees to change passwords on all devices as soon as they are brought into their homes.” This latter point is echoed by Ori Bach, CEO at TrapX Security, who says employee education is the most important step you can take to prevent cyber attacks in the remote workforce. “If your people don’t know which behaviours are harmful, they can’t correct them. Ensure all security policies for workers are clear and easy to follow and adhere to the fundamentals of cyber hygiene,” he says. “If businesses don’t have a remote working security policy, it’s time to draft one.” Another step employees can take is to isolate these devices from their main Wi-Fi network, which is now often being used to carry out sensitive tasks. Trowell advises: “The most practical method of isolating these two systems is to use the guest network to host such secondary network-enabled devices. The guest network typically doesn’t allow access to unknown devices in your home by default; however, it can be configured to block unrecognised devices from connecting to the network.” Some, however, don’t believe there’s a problem to be fixed. Pascal Geenens, director of threat intelligence at Radware, tells IT Pro that the threat of data breaches and intrusions is much bigger than the threat landscape created by IoT. “Many of the smart home devices such as thermostats and coffee machines require physical proximity to perform the hacks that have been discovered by researchers. Whereas the attacks on enterprise VPNs and remote access protocols can be performed from the internet. And the internet has no borders or boundaries,” he says. “IoT is still a large threat surface, but mostly for DDoS and other malicious activities that can leverage a distributed army of bots.”
Date: 2020-12-03
itpro.co.uk
Xenta MT Ryzen 5 Pro Desktop PC review: Cheap, accessible and surprisingly fast (2020-11-05) | The latest PC from Ebuyers business brand is an affordable desktop that deploys a new AMD chip to try and scythe through your day-to-day work tasks with more speed than any Intel-based rival The new part is installed into a full-size desktop which helps it stand apart from smaller systems weve seen recently like the Zotac ZBOX VA621 Nano This rig only costs 375 exc VAT so it could be the ideal opt.. Xenta MT Ryzen 5 Pro Desktop PC review: Cheap, accessible and surprisingly fast |
What is DevSecOps and why is it important? (2019-11-27) | To stand out against their competition many organisations seek to roll out software updates more quickly and frequently so that theyre constantly responding to customer needs In recent years this has pushed forward the DevOps movement which conjoins teams fromsoftware development and IT operations to streamline software and app creation and quickly implement updates or patches As efficient as DevO.. What is DevSecOps and why is it important? |
Snapchat now allows you to display subscriber numbers (2020-11-04) | Snapchat has added a new feature that allows users to display the number of followers or subscribers they have Users can function on or off as they please The addition of the subscribers display option was first reported by Tubefilter SEE MORE Snapchat introduces two-factor auth but users wont care SEE MORE Snapchat hack prompts release of updated messaging app SEE MORE Snapchat founder devastated.. |
Why you should prioritise employee experience (2020-07-10) | An organisation is only as good as its employees And ensuring that both your current and potential employees view your company in a positive light is vital to talent retention and productivity Putting your staff first is not just the right thing to do it makes business sense A recent Gartner survey found that 64% of HR leaders are making employee experience a bigger priority as we emerge from the .. |
RBS challenger bank Bó aims to fightback against Monzo and Starling (2020-11-17) | Traditional banks are looking to beat new digital-only rivals at their own game with RBS launching its own version of a challenger bank called B So-called challenger banks have cropped up over the past few years thanks to the ubiquity of smartphones new open banking standards and efforts by regulators to boost competition in the retail banking sector Thats given rise to a wave of challenger banks .. RBS challenger bank Bó aims to fightback against Monzo and Starling |
Dell XPS 13 (2020) review gallery (2020-07-22) | While undoubtedly a quality laptop the latest XPS 13 steps back as well as forward |
Apple is facing more ‘batterygate’ lawsuits in Europe (2020-12-03) | Apple is facing moreclass-action lawsuits in Europe over its practice of slowing down older iPhones Consumer watchdog Euroconsumers said in a statement that it has filed class-action lawsuitsagainst Apple in Belgium and Spain over an iOS update that throttled iPhone performance with two more suits planned for Italy and Portugal SEE MORE Apple battery slowdown lawsuits to be heard in one court case.. |
The IT Pro Podcast: The secrets of confidential computing (2020-06-25) | Weve heard a lot about cloud computing edge computing and various other kinds of computing but confidential computing is less well known As an emerging encryption model it promises to offer greater protection to data as its being used supplementing at-rest and in-transit encryption Protecting against attacks like memory dumps and malicious root user compromise the development of confidential compu.. The IT Pro Podcast: The secrets of confidential computing |
Nokia achieves record 8Gbps speeds in 5G trial (2020-11-18) | Nokia Qualcomm and Finnish operatorElisa have achieved a new world record in 5G speeds The three companies announced that they had managed to deliver 8Gbps between two connected 5G mmWave devices which is almost twice as fast as Nokias previous 47Gbps milestonethat was recorded in May The new record was achieved using a combination of Nokias 5G mmWave technology Qualcomm Technologies 5G smartphone.. Nokia achieves record 8Gbps speeds in 5G trial |
Web app attacks are up 800% compared to 2019 (2020-11-23) | Web application attacks have increased by over 800% according to the State of the Web Security for H1 2020 report Published by CDN and cloud security provider CDNetworks the report found that during the first half of this year web application attacks which use malformed requests or injected payloads to steal data modify data or obtain privileges illicitly increased nine times relative to H1 2019 C.. |