Yet despite the alarming risk posed by video conferencing units, vending machines, fingerprint scanners, and even shark tanks, they are routinely overlooked by security teams.
For all their appeal, IoT devices were not created with security in mind. Designed for ease-of-use and quick time-to-market, many interconnected objects use electronics from uncertified third parties, lack patch management, or fail to issue firmware updates. Still others feature default user credentials that cannot be changed. With few regulations to hold their manufacturers accountable, IoT devices are quickly becoming a leading threat vector.
Many of the most sophisticated cyber-attacks we find at Darktrace start with an IoT breach. For instance, an American casino recently installed a high-tech shark tank as a new attraction. We began detecting anomalous data transfers from the tank, which appeared to be collecting data from other company devices. An attacker was essentially using the shark tank as a conduit to try to steal data from the casino’s network.
In another case, a video conferencing unit at a retail firm was transmitting much larger volumes of data than normal. As it turned out, the camera was in a conference room used for board meetings, and it was sending sensitive audio and video footage outside the network.
Threats like these underscore the need to rethink the way we define ‘IT’. Traditionally, the concept referred to desktops and servers. Most security tools still rely on this outdated model, so they overlook smart printers, light bulbs, refrigerators, and other IoT devices. Any breaches of non-conventional IT would then go undetected, and with the impending Digital Privacy Act in Canada, failure to report a data breach will incur fines of up to $100,000.
When a breach does occur, businesses will be required to notify affected individuals and provide the Privacy Commissioner with all the relevant details. Without complete network visibility, organizations may not detect an IoT compromise at all, and even if they did, they would be hard-pressed to deliver sufficient data, thus risking significant financial penalties.
To address these burgeoning challenges, business have to take a more comprehensive approach to cyber security. IT and security teams need to work hand-in-hand with building managers and procurement, and IoT concerns have to be elevated to the level of the boardroom. We also have to appreciate that it will take more than human attention to defend today’s diverse and distributed network environments.
Organizations are increasingly leveraging disruptive machine learning technologies that can detect and respond to brazen and fast-spreading threats before humans have even had time to notice. These AI algorithms mimic the self-learning intelligence of the human immune system to gain unprecedented visibility into networks and build a sense of ‘self’.
By learning normal activity for every user and device in a network, this new class of technology identifies emerging threats and vulnerabilities across the entire organization, including IoT devices that frequently get overlooked. Crucially, the technology does not make assumptions about when or where threats will arise. This allows it to contain threats regardless of whether they originate from a phishing email or an internet-connected cappuccino maker.
As more and more IoT devices come online – to the tune of 5.5 million every day – ‘immune system’ technology is quickly becoming indispensable. The cyber arms race is on and attackers are using whatever vulnerabilities they can find to infiltrate networks. That often means they are specifically looking for IoT devices. It is time we get serious about protecting them.
David Masson is Canada Country Manager for Darktrace.
SAMSUNG GALAXY S8 PLUS
The Samsung Galaxy S8 Plus is a beautifully crafted smartphone with nearly no bezel, curvaceous in design and reflects a…
How to: Connect to Exchange Online Using Multi-Factor Authentication
Using PowerShell to manage your Microsoft cloud services like Exchange Online and using multi-factor authentication (MFA) separately is awesome. Using…