The IoT Cybersecurity Improvement Act 2019 is headed for a vote in the US congress, in the same week that Mirai has reared its head again and Telstra has found that 88% of European organizational cybersecurity risks are internal, with employees being the biggest threat. Taken together, you get a strong flavor of where the world is headed, and, unsurprisingly, IoT security still has a very long way to go.
This isn’t just a problem confined to specific markets, such as connected cars or smart homes. As businesses undergo digital transformations, or facilities upgrades, they will suddenly find themselves with much greater attack surfaces that need to be protected.
There is going to be a difficult collective period between companies discovering the initial benefits of a new connected business process, and then the risks or trade-offs inflicted on the business by the new devices. Of course, this interim period is going to be a wonderful sales opportunity for security providers, who can supply software and appliances that will help rectify these problems, but as the new incursion from Mirai and the findings of the Telstra forecast have shown, enterprises are going to have to start embracing new ways of doing things.
Chiefly, the businesses and processes need to become secure-by-default, and to do this, the tools they use are going to require a lot more autonomy. Many businesses will baulk at the thought of handing over the keys to their security providers, but as we saw with WannaCry and NotPetya (which wiped out a quarter’s profits), having a deeply integrated security system is going to become a cost of doing business, regardless of how uncomfortable this new paradigm might feel for leaders who have historically insisted upon total control.
Whether it’s security platforms that are using AI-based algorithms to spot emerging threats, or a cloud-based application environment that is locked down (to the point of frustration) to prevent users doing something dumb, businesses are going to find that there is a trade-off to make in exchange for improved security. These new technologies are going to appear quite invasive or restrictive, but to not use them is opening yourself up to a whole host of litigation and regulatory retaliation.
The Telstra study found that 52% of European businesses have experienced unintentional actions that led to a security incident, and that 79% have had to deal with an intentional and malicious employee action. Telstra warns that it is not, as often thought, external hackers and viruses that are the greatest risk, rather, it is the company’s own workers.
Of course, there’s a divide between intentional and unintentional damage, but it seems clear enough that as long as humans are involved, there are going to be errors that lead to new security problems, and a small number of people are going to use their intimate knowledge of the operations to inflict damage upon the business. According to the survey, 20% of companies experienced a malicious incident by a member of staff on a monthly basis, with 22% saying it happened every six months.
As for the frequency of the human-error induced security instances, 10% of European companies said they were weekly, 20% said monthly, and 22% said quarterly. More worryingly is that 27% of the 1,300 respondents said that it took days to identify a problem, with another 15% saying it was weeks.
Other highlights from the research include that 83% of companies spend at least 20% of their IT budgets on security, and that 46% said that their customers are expressing increased concern over data privacy than they used to a year ago. Also notable was that 50% of ransomware victims actually paid the ransom to unlock their files.
Some 91% of attacks stem from phishing, with another 89% blamed on unpatched devices. The list continued with operational technology (building management systems, cameras), and malware (spyware, downloaders, adminware) afflicted 87% of respondents. Business email compromises and DDoS were suffered by 85% of respondents, with web application attacks (84%), identity theft (82%) advanced persistent threat (APT – 80%), hacking (79%), and ransomware (78%).
Mirai falls into that malware camp, and Palo Alto Networks has reported that a new variant has begin targeting VMware’s SDX family of Software-Defined Wide-Area Network (SD-WAN) equipment. This is notable because these devices are quite a step up from the sorts of devices that were initially targeted by Mirai, such as generic set tops and security cameras, where it used a list of default credentials to brute force its way into control of the device.
SD-WAN is the process by which a business location can be connected to another location, and act as if they were on the same local network – extending the corporate network over a wide area. A bridge between two worlds, one can easily see how these environments could be attacked or exploited, to insert a Trojan horse or reach a door that the attacker should not normally be able to find. SD-WAN is rising in popularity because it is a cheaper alternative to the established WAN networking technologies, and as its popularity grows, so does the opportunity for threats like Mirai.
Companies like Palo Alto Networks are hoping to rack up some big contract wins in the next few years, as enterprises begin realizing that they are going to have to start splashing the cash to remain compliant with local laws and to protect their brand power.
In the disclosure notice, Palo Alto’s Unit 42 warns that “this newly discovered variant is a continuation of efforts by Linux malware authors to scout for a wider range and thus, larger number, of IoT devices to form larger botnets thereby affording them greater firepower for DDoS attacks. Based on the results observed by using such variants, the exploits that are more effective i.e. the ones that infect a greater number of devices are retained or reused in future variants whereas the less effective ones are retired or replaced by malware authors with other exploits.”