This week, the UK’s National Cyber Security Centre (NCSC), the FBI and the U.S. Department of Homeland Security issued a joint alert warning of a global campaign by Russian state-sponsored cyber actors.
While the alert focused on network infrastructure devices, threats apply to all internet connected devices, especially IoT devices, of which Gartner estimates there will be 25.1 billion connected to the internet by 2021. So, while panic is not necessary, CIOs and business leaders should take notice and action to ensure they’re not allowing a backdoor to their company’s data and information.
What is the threat?
It’s important to note that while there may be an uptick in activity, the threat itself and the techniques are not new. Nation-states and malicious groups have long used IoT device vulnerabilities, and compromised systems via over-the-air (OTA) updates to deploy malware, build botnets such as the Mirai, execute large-scale DDoS attacks or just for monitoring and eavesdropping.
Russian, or indeed any other, cyber actors do not need to leverage zero-day vulnerabilities or install malware to exploit these connected devices and conduct a campaign of disruption. As hackers are known to do, they’ll likely follow the path of least resistance which in the case of vast IT estates peppered with legacy devices there are several options.
Many older devices such as office equipment and network-enabled printers through to industrial control systems have not been sufficiently hardened before installation and have unencrypted or weak legacy protocols. In some instances, businesses are running devices which are end-of-life and no longer supported by vital security updates. It’s not as simple as rip-and-replace to rid enterprises of these legacy devices.
The cost and business disruption alone is prohibitive, but there is also the issue of skills and compatibility. CIOs must manage the influx of new devices and systems while balancing the available skills to implement and manage these new systems with the need for compatibility across existing, companywide technologies. Very often this means continuing with technology and tools that are familiar to the IT team and business, but this brings legacy security issues along with it.
As the NCSC alert highlighted, the same level of ongoing security is not applied to connected devices as with general-purpose desktops, servers and endpoints. Devices are built and distributed with exploitable services which are enabled for ease of installation, operation and maintenance, and all too often we see IT teams overlook these devices when they conduct searches for intruders.
Go hack yourself
Maintaining a robust cybersecurity program remains the best course of action to mitigate risk. To strengthen defenses my advice to CIOs is “go hack yourselves.” Bringing ethical hackers into the organization and letting them loose to sniff out vulnerabilities and simulate a real-world cyberattack uncovers many gaps in security that are missed by routine checks. Ethical hackers use the same tools, techniques and methodologies as a malicious hacker and some might surprise you.
Our cybersecurity services team recently gained access to a customer’s network by simply getting T-shirts made with their company logo on it and stating that they were “with IT.” Because they adopt the same approach real-world hackers would, ethical hackers can offer the most accurate feedback on the exposure and vulnerabilities a network or system may have.
Where security consultancies in general will fall short is by taking an assessment only approach. Security consultants and IT need to partner with their business leaders to assess the risk and needs within the cybersecurity program and address issues identified at the source. This can often be process improvements or security controls applied to an organization’s supply chain to prevent weak or vulnerable systems being implemented in the first place.
This invaluable insight into where your business’ risk lies, offer enterprises a roadmap to develop a cybersecurity plan that is effective and appropriate for the organization, its technologies and processes. The businesses who develop and maintain comprehensive incident response plans will be best placed in the event of a breach, while those without may have no choice but to resort to panic.