The proliferation of the Internet of Things (IoT) in consumer, enterprise, and health care sectors, and their internal vulnerabilities, have created a security blind spot where cybercriminals can launch a Zero-day attack to compromise the connected devices. In tandem with technology and deployment, the growth of IoT devices also resulted in a variety of cyberthreats.
In an interview with Rudra Srinivas, Sr. Feature Writer, CISO MAG, Chukwudum Chukwudebelu, Chief Strategic Officer and Co-Founder at Simius Technologies Inc., discusses the major cybersecurity concerns associated with IoT devices. Chukwudum is experienced in product management, strategy, marketing, and sales in simplifying the consumer cybersecurity industry.
Edited excerpts from the interview follow:
The surge of the Internet of Things (IoT) is forcing many businesses to reconsider their approaches towards cyber risk management. How is the explosion of IoT devices changing the cybersecurity landscape?
The explosion of IoT is an unprecedented phenomenon. It is one thing for a computer with a screen to be connected to the internet, where you would notice something wrong. But it’s another issue for IoT devices. There was an incident of a casino that was hacked through a smart thermometer. IoTs make your networks vulnerable, and they are not designed to be secure. Even if they are, it is only the hardware that is secure due to the changing nature of vulnerabilities. Embedded firmware becomes insecure over time. This is especially true when you consider very few manufacturers provide regular firmware patches. Because of this, they become the backdoor for hackers, and without proper network security scans on those devices, how would an organization or even a consumer know when these devices have been breached? Businesses have to understand that they need consistent surveillance on these IoT devices because they may not know when they have been hacked. And if they have been breached, one may be thinking that it is just a smart thermometer. However, one single breach can amount to the domino effect, as intruders pivot from device to device. They might be able to navigate with impunity onto other devices, creating a backdoor to sensitive files or systems. Businesses and consumers need full holistic solutions for the cybersecurity landscape of today because every small breach in any organization could have a domino sitting there, waiting to be tipped.
According to a survey, the total number of IoT devices is expected to reach 83 billion by 2024, from 35 billion in 2020, which represents a growth of 130% over the next five years. Will IoT ever be 100% secure? What will be the state of IoT security in the next five years?
The IoT technology will always improve but it will never be 100% secure. As long as it is connected to the internet, there is always a risk. The best chance at cybersecurity is to reduce that risk. Since the internet was not built to be secure, rather, it was designed to be shared. Industries are increasing the use of IoTs, and consumers are doing the same. As with anything, Moore’s law applies. An example would be for smart homeowners, where consumers have fully automated homes. Many smart homeowners have had their devices breached. We can also dive into the agricultural sector with the rise of fully automated farms, manufacturing industries using autonomous robotics, etc. In the next five years, many of these industries will become fully dependent on IoT devices. They will need to be secure to reduce risk, and the manufacturers of these devices together with the cybersecurity companies and government have to find a way to work together to deliver 100% secure IoT devices. By constantly keeping up with the threats and vulnerabilities, while being on point to thwart or prevent an attack at a moment’s notice. There’s no such thing as the cyber police yet, but I am sure that it will become recognized and more prominent as a need with most law enforcement agencies.
Based on a report, nearly 80% of IT professionals discovered shadow IoT devices connected to their company’s network. What are the major cybersecurity concerns associated with shadow IoT devices and how enterprises can deter potential threats from them?
The major cybersecurity concern is fear of the unknown. We don’t know what we do not know. That is part of being human. However, shadow IoT devices offer a unique attack vector for cybercriminals. We’re talking about connected devices or sensors that are actively in use within an organization’s network without their IT department’s knowledge. This includes everything from PCs, smartphones to personal health monitors and other smart devices. So, organizations and consumers need to keep a tight-knit around access to their networks. The value of keeping passwords away from employees or strange acquaintances cannot be underestimated. How can one prepare to mitigate against shadow IoT attacks if they do not keep their network access controlled?
Organizations and consumers alike should consider change management practices. Should there be any breach through a shadow IoT attack, it will keep recurring, and the businesses or consumers will keep having to deal with damage control. Until those loose ends are kept under wraps, shadow IoT attacks will remain a large point of risk. It is difficult to discover problems without proper visibility for these IoT devices. Enterprises could do a network reset, with the devices connected to their network, but this can require significant coordination and effort on the part of their staff with guidance from the IT department. But this is much similar to doing a body cleanse. Flushing out unwanted devices and rebooting the ones you have is always a good practice. Discovering shadow IoT devices is tricky without proper network security in place. You could also have scenarios where an employee’s device is still connected to the network long after they are no longer in the organization, so be sure to change password or logon credentials often. Certain security policies and protocols have to be put in place to reduce the frequency of those issues. When enterprises and consumers are aware of the potential threats with Shadow IoT devices, they can prepare for it.
As Chief Strategic Officer, how do you help prevent information theft through IoT devices?
They say simplicity is an art. The most basic way of theft through an IoT device is using the breached passwords. Who creates these passwords? Is there a solid password policy enforced by the organization? Or do smart home consumers even have a standard to the passwords they use? These are basic but important questions. The users of these devices are also a target for phishing campaigns and various malware vectors which can breach a network from the fault of user activities. Even though someone may accidentally click a bad link, even the most sophisticated network security systems can be breached by that error in judgement. Why do we think that accessibility means identity? Someone can access your IoT device with your password does not mean they are authorized to log in. This is how two-factor authentication is designed to operate. How do the users manage their passwords though? That is the first line of defense. Most times they do not like to manage passwords effectively. Instead, they leave their own passwords out to dry. 64% of people still use the same passwords online. Also, when these IoT devices are hacked, users do not know because they do not have a screen or visibility. No notifications are available to warn them. Users of IoT devices can use certain tools to scan for vulnerabilities and prevent them before they happen such as updating your firmware. But we have to go back to the fundamentals, “Are you authorized to access this IoT device?” User training with basic cybersecurity fundamentals is quintessential for success.
Insider threats are one of the important concerns for security leaders today. Besides, remote work has also encouraged businesses to embrace Bring Your Own Devices (BYODs) concept at workplaces. How can enterprises stop non-business IoT devices from connecting to corporate networks? Is there a middle-ground solution that you see enterprises using?
There is a middle ground somewhere between. Enterprises and consumers need to segment their network, through VLANs as an example. They can make trusted or untrusted devices connect only to the specified VLAN for which they are authorized to access. This also prevents any unauthorized access to the main enterprise or smart home network.
Businesses and homeowners alike can set up a network that needs multiple layers of security before a new device is connected to it, not just a password. Hence the usefulness and ease of two-factor authentication. That way there is an additional security layer. Enterprises have to create new security compliance policies and treat any foreign device as a threat immediately until it is determined to be a safe or trusted device. Smart homeowners are no exception. But this way, only authorized devices can connect to these networks. This is how to simplify things. We are treating devices and users into buckets of being trustworthy versus not.
In what way will artificial intelligence drive the future of the IoT landscape? And what should manufacturers be wary of to prevent the security of IoT devices from being compromised?
AI will continue to assist with automation, but there will be points of high risk that require human intervention. Manufacturers will have to be wary of viruses, threats generated from adversarial networks of cybercriminals. These threats will likely remain persistent since all IP addresses are public. The bad guys will constantly be scanning these lists to see if there are any vulnerabilities worth exploiting. Manufacturers will need sufficient infrastructure in place to prepare for these kinds of attacks. They will need to consistently ask for feedback, and test for vulnerabilities. After all, this is a great game of cat-and-mouse we play with the cybercriminals.
About the Interviewer
Read More from the author.