by Raimund Genes
When was the last time you checked how many of your organisations’ devices and systems were searchable from the public internet? Do you know for sure that they’re all properly patched and configured? New research from Trend Micro suggests the sheer volume of devices exposed to the internet is putting organisations at unnecessary risk of data theft, sabotage, fraud and disruption.
It’s time Europe’s policymakers woke up to the dangers and helped establish security standards for IoT and similar devices.
Launched at RSA Conference 17, Trend Micro’s new report, US Cities Exposed, reveals that millions of devices and systems across US cities are putting businesses and consumers potentially at risk. They were all searchable by Shodan, and by implication, hackers – who could probe for vulnerabilities or even craft targeted attacks designed to compromise them. Vulnerable devices include but are not limited to webcams, network-attached storage (NAS) devices, routers, printers, phones, media players, web and email servers, databases – including medical databases – and industrial control systems (ICS).
It’s not hard to see what a hacker with intent could do, whether financially motivated cybercriminal, state-sponsored spy, hacktivist, or mere script kiddie.
NAS devices can store some highly sensitive corporate data. ICS boxes could offer an opportunity to sabotage an industrial environment. Even something as innocuous as a webcam could be used to gain initial access to a network, from which beachhead attackers could pivot to the real high-value systems. Or it could be compromised to spread ransomware throughout the organisation. Or to add it to a Mirai-style botnet primed to do its master’s bidding: DDoS, click fraud, the list goes on…
A seal of quality
Many of these devices may have been secure when they were first developed. But technology moves fast, and now they may be highly exposed on the internet with inadequate protection. Some, including a large number of industrial systems, should never be connected to the public internet. Other devices may simply have been developed and sold with little regard for security, as were those DVRs and webcams compromised by Mirai malware – which simply scanned the web for those with factory default credentials.
It’s especially this latter category that UK and EU lawmakers need to address. Products without a baseline of adequate security simply shouldn’t be allowed to be sold here. Politicians and regulators should wise-up to the scale of the threat we’re facing, and design something akin to the “CE mark” – a seal of quality for internet-connected products. The GDPR might help protet personal information but it doesn’t address the threat posed by IoT devices and exposed internet-connected systems.
In the meantime, there are a few things IT leaders can do to reduce risk, including:
- Network segmentation
- Log analysis
- Properly configured user access profiles, workstations, and servers,
- Data classification and encryption from endpoint to cloud
- Tight access controls
- Incident response teams
- Internal and external threat intelligence
Already we’re seeing hackers test the waters with attacks on industrial control systems in the Ukraine. Things are moving ominously from an experimental phase to attacks with real world impact. And with the Trump administration seeming to signal a more aggressive cyber policy from the US, what are the odds of retaliation from the likes of China and Russia?