This week’s theme for Cybersecurity Awareness Month 2020 is “If You Connect It, Protect It.”
This theme took my mind directly to the Internet of Things (IoT). When I think about all of the cameras, Roombas, refrigerators, thermostats, televisions, and smart speaker devices – to name a few, that are now connected to home and office networks, I begin to see the tremendous risk of a breach bubble to the top. This list doesn’t even consider all of the traditional devices, such as laptops, iPads, printers, and cell phones that are connected in homes and offices.
One may be surprised at how many connections, and therefore, entry points they have sitting vulnerable to infiltrators.
This year in particular, COVID-19 has challenged businesses to think about operations in a new way. Businesses will want to assess and advise employees of risks associated with home Internet of Things (IoT) devices, and create awareness of their vulnerabilities. Below are a few key IoT highlights to share with employees.
How Do Hackers Infiltrate Common Devices?
An increasing number of companies are installing IoT devices on their networks. IoT devices are typically “black box” devices, the inner workings of which are unknown to most users.
For example, HVAC systems, smart fridges, computer printers, and even cars can contain IoT-enabled technology that connects through WiFi or cellular and therefore can be considered IoT devices.
With personal computers (PCs), there are many different types and manufacturers, but most of them run via Windows, MacOS, or Linux. In contrast, there are about as many unique operating systems for IoT devices as there are manufacturers.
It is currently estimated that approximately two million IoT devices are vulnerable to complete takeover, according to Threatpost.
Hackers can discover vulnerabilities of these devices or their manufacturers through documents published on the internet or by monitoring communication to and from your IoT devices.
Which Common Devices are at Highest Risk?
HVAC systems often reside on the company’s internal network and can be capable of remote and internet connections. This device is not secured, which means an outsider may be able to breach the HVAC system. While it is only a heating and cooling mechanism, the innocence of the breach is deceptive. Hackers can use this device to obtain access to other parts of an organization’s network.
For example, in the Target data breach of 2013, it is suspected that hackers stole credentials from the retail chain’s HVAC company in order to access the network. Hackers then used this network access to steal customer credit card data. According to USA Today, this breach affected 41 million customer accounts and forced Target to pay $18.5 million in restitution.
Multi-Function Copier (MFC) Devices
MFC devices, such as computer printers, are vulnerable. Once a hacker gains access, they can view items that have already been printed and receive unlimited access to future print items.
Some companies have taken extra precautions to protect print jobs, including providing each employee with an individual PIN number in order to start their print/copy job. While this strategy does help to reduce the number of printed pages left on the printer for an extended period of time, hackers can still use brute force methods to gain access. This brute force approach relies mainly on automated programs that are able to enter a large quantity of combinations at once in order to find the desired PIN.
Hackers can further infiltrate the MFC devices if they possess internet access. Using the device’s internet capabilities, they can send employees’ print jobs to other locations. These locations could include other computer printers, or other virtual file folders.
What Are Countermeasures/Prevention Techniques?
Organizations should understand all of the connections and data that their IoT devices generate, and ensure security is regularly assessed and tested.
Assess Vulnerability with a Scan
IoT devices are black box systems, and companies should identify and understand security risks in order to determine appropriate countermeasures. Performing vulnerability scans can help to identify, examine, and classify IoT devices, connections, and configurations, as well as monitor the types of data transmitted.
The results of the vulnerability assessments are then analyzed by a cyber-security team to advise on necessary steps to protect your organization, secure the IoT devices from potential hacker exploits, and keep sensitive data safe.
Organizations may want to conduct a vulnerability scan on an annual basis and each time a new type of device is added to the network, as this constitutes an infrastructure change.
Identify Network Inventory
IT staff should be aware of all devices on the network in order to understand their capabilities and determine any potential updates for those devices. Organizations should conduct and maintain an inventory of all devices currently on the network.
When new devices are introduced to the network, your organization should review applicable IT policies and procedures, such as the written information security policy (ISP). For example, if a new camera is added to your network, your IT staff must confirm if the physical security policy is still applicable. If your organization’s ISP requires antivirus protection to be installed on all devices on your network, but these new cameras are not capable of having endpoint protection installed, then you would need to identify compensating or mitigating controls so the new devices do not create unnecessary risks for the company.
We recommend organizations use these starter tips to understand and secure all IoT devices – in the office and offsite.
Should you have questions or need help, K·Coe Isom experts can help with assessments and implementation for cybersecurity best practices.