sb-as logo
Story image

IoT device security is a business responsibility, too

09 May 2018

IoT devices provide ample opportunity to attackers looking to use them as entry points for network compromise schemes – and despite the risks, security is still being overlooked.

ESET says that the Internet of Things has gone beyond a trendy buzzword to a genuine set of emerging technologies that will improve business operations and improve experiences for consumers.

However, the security issues that plague IoT devices persist, leading to devices that have little or no built-in security.

ESET senior research fellow Nick FitzGerald explains that even when basic security measures are built in, users don’t often change usernames or passwords from the defaults. This, he says, makes it easier for hackers to gain access to the devices.

“Many of these devices are used in applications that make their security critical. For example, automatic braking systems in trains or buses could create life-threatening situations if they were sabotaged by cybercriminals. It’s therefore essential to carefully consider security when implementing IoT devices and to not trust that security will be managed by the vendor,” he explains.

There is one way to address this challenge, which is to use ‘mutually-suspicious platforms.

The company explains:

“Isolating cores, memory, applications, operating system code, and other resources can form a breach-resistant group of barriers. This can make it more difficult for software developers, but the resulting applications are also far more secure, making this approach ideal when safety is at stake.”

Airgapped systems may have been secure in the past such as Controller Area Network (CAN bus) or ICS-related protocols, but they are now more likely to be fully connected and vulnerable to attack. They must also be defended.

FitzGerald says that cyber attacks are growing more intense, more severe, and are happening more often.

“IoT devices and other connected networks are providing new ways for attackers to sneak in the back door of organisations.”

“Businesses shouldn’t let this stop them from embracing new and emerging technologies, especially those that promise to deliver business efficiencies and potential new revenue streams. However, it is essential for businesses to be well aware of the security implications and take the right steps to protect their networks.” 

He says that organisations should choose IoT products that include security by design. They should also look for vendor commitments surrounding product maintenance, and those who deliver firmware or software updates for the device’s entire serviceable life.

“This approach removes the need for consumers or organisations to make security-related decisions by defaulting to secure settings. Two ways businesses can improve IoT security is to change default passwords to unique passwords and to regularly update the product with patches and other security updates.” 

Story image
Emotet remains leading malware in global threat index
The malware has impacted 7% of organisations globally, following a spam campaign which targeted more than 100,000 users per day during the holiday season.More
Story image
APAC secure content management market to hit $2.2 billion by 2024
The proliferation of cloud-based deployments will largely drive this, the report says, as the COVID-19 pandemic motivates more enterprises to move their workloads to the cloud and rely more on the internet. More
Story image
Microsoft top targeted brand by cyber criminals in Q4 2020
In Q4, 43% of all brand phishing attempts related to Microsoft (up from 19% in Q3), as threat actors continued to try to capitalise on people working remotely during the COVID-19 pandemic’s second wave. More
Story image
Palo Alto Networks advances attack surface management with Expanse
"By integrating Expanse's attack surface management capabilities into Cortex after closing, we will be able to offer the first solution that combines the outside view of an organisation's attack surface with an inside view to proactively address all security threats."More
Story image
Red Hat to acquire Kubernetes-native security provider StackRox
Red Hat will further expand its security offering, adding StackRox's complementary capabilities to strengthen integrated security across its open hybrid cloud portfolio.More
Story image
BackupAssist partners with Wasabi for greater cyber-resilience
This partnership provides customers with an up to 80% less expensive solution that is faster than the competition for achieving enterprise-grade cyber-resilience, the company states. More