Three strategies CISOs should take to minimise IoT risks following Verkada

In early March, a Swiss hacktivist by the name of Tillie Kottman successfully exposed businesses, police departments, schools, jails and hospitals in one of the most widespread cyber attacks in modern history, says Chris Rouland, founder and CEO of Phosphorus. How did they do it?

By hacking into nearly 150,000 Verkada security cameras set to their default security settings. Kottman took credit for the attack as an illustration of how easy it is to compromise these types of Internet of Things (IoT) devices and exfiltrate data and other valuable information.

The scary part when it comes to IoT security is that video cameras are just one example of the litany of new attack surfaces hackers have available to exploit. Moreover, organisations and enterprises are not only unaware that their IoT devices are vulnerable to these types of widespread attacks. Most of them are not even aware of most IoT devices on their network. 

IoT devices are now so ubiquitous they can be installed for almost any mundane function and security officers would have no idea that they’re there. For example, a maintenance worker might install an IoT monitoring device on a set of doors to sound an alarm if the premises were breached. Little do they know by connecting that device, it could compromise the entire network if hacked.

As organisations’ ecosystems of IoT devices continue to grow at an unknown rate, every chief information and security officer (CISO) is currently being asked what they are doing to protect against IoT security breaches. The short answer is that they must adopt new strategies and policies to ensure hackers do not gain access to their valuable data, but they may not know what those strategies are or how to implement them. 

Here are a few strategies to get CISOs started:

Follow basic cyber hygiene practices

The appearance of default credentials on IoT devices is a common mistake made by many vendors, and Verkada is certainly not the only IoT vendor with this problem, they were just the most recent one to be caught. The use of hardcoded administrative credentials and passwords, combined with a lack of a secure credential repository and privileged access management, made it easy for Tillman and their group to access a vast amount of real-time, sensitive video with only a few clicks.

By conducting basic, scalable security hygiene to protect IoT devices such as inventory, patching and credential management this intrusion could have been avoided. The new IoT Cybersecurity Improvement Act now mandates the changing of default credentials on IoT devices and sets strict password policies that apply to humans and all embedded devices.

Taking security measures a step further, as connected devices multiply, organisations will need to automate firmware and patching against IoT’s most critical vulnerabilities. By automating security, organisations can remove software bugs, malicious code, and increase performance of devices all positive things that improve security.

Adopt a zero trust approach to IoT

Given that most organisations are not aware of all of the IoT devices connected to their network, moving towards a Zero Trust model for IoT security is ideal for avoiding ungranted access to a network. Zero Trust is a well-established framework for network security that is centred around the premise that organisations should not automatically trust any device, inside or outside the network, with access credentials.

Even when a network administrator logs into the network, it requires two-factor authentication in an effort to reduce spoofing or unauthorised access. Once logged in, each device and the associated business use of that device is constantly checked and rechecked for changes to its inherent trust every time it tries to access data.

The same framework should apply for IoT devices, especially considering the general lack of awareness surrounding the number of devices and how easy they are to hack when set to default settings.

Take ‘secure device’ promises with a grain of salt

When it comes to security, end users should remain vigilant even when working with trusted vendors. Buying IoT devices from reputable sources with a strong track record of high security standards and ensuring your vendor hasn’t been banned in the U.S. is a must. 

Chris Rouland

There is also plenty that end users can do to increase their security posture if they’re unsure of a device’s security. A first step in securing device deployments is to automate the application of unique credentials and password rotation.

When IoT devices roll out, it’s often thousands or tens of thousands of devices at one clip. Using automated tools for inventory, patching and credential management helps IT teams keep pace without being overwhelmed.

With these approaches to IoT security, CISOs can take proactive measures to prevent their organisation making headlines as the next victim of this type of seamless hacking. By taking steps now to inventory, patch and monitor the devices which have access to their systems, CISOs will be able to move forward with confidence that their information and ecosystems are both secure.

The author is Chris Rouland, founder and CEO of Phosphorus.

About the author

Chris Rouland is founder and CEO of Phosphorus. He is a renowned provider in cybersecurity innovation and has founded several multi-million dollar companies, including Bastille, the company to enable assessment and mitigation of risks of the Internet of Radios, and Endgame, a provider in endpoint security. He was also chief technology officer and “distinguished engineer” for IBM and director of the X-Force for Internet Security Systems. Chris holds more than 20 patents and a Masters’ Degree from the USA’s Georgia Institute of Technology.

Comment on this article below or via Twitter: @IoTNow_OR @jcIoTnow

FEATURED IoT STORIES

9 IoT applications that will change everything

Posted on: September 1, 2021

Whether you are a future-minded CEO, tech-driven CEO or IT leader, you’ve come across the term IoT before. It’s often used alongside superlatives regarding how it will revolutionize the way you work, play, and live. But is it just another buzzword, or is it the as-promised technological holy grail? The truth is that Internet of

Read more

Which IoT Platform 2021? IoT Now Enterprise Buyers’ Guide

Posted on: August 30, 2021

There are several different parts in a complete IoT solution, all of which must work together to get the result needed, write IoT Now Enterprise Buyers’ Guide – Which IoT Platform 2021? authors Robin Duke-Woolley, the CEO and Bill Ingle, a senior analyst, at Beecham Research. Figure 1 shows these parts and, although not all

Read more

CAT-M1 vs NB-IoT – examining the real differences

Posted on: June 21, 2021

As industry players look to provide the next generation of IoT connectivity, two different standards have emerged under release 13 of 3GPP – CAT-M1 and NB-IoT.

Read more

IoT and home automation: What does the future hold?

Posted on: June 10, 2020

Once a dream, iot home automation is slowly but steadily becoming a part of daily lives around the world. In fact, it is believed that the global market for smart home automation will reach $40 billion by 2020.

Read more
RECENT ARTICLES

Bluetooth Range and Reliability: Myth vs Fact

Posted on: September 21, 2021

As Bluetooth is becoming more and more ubiquitous in smart homes, buildings, and factories, there are many myths about what the wireless technology can and cannot do. In fact, its capabilities go far beyond its use in consumer electronics and enables a wide range of professional solutions in commercial and industrial environments. Here are some of the common myths around Bluetooth – and the lesser-known facts

Read more

OQ Technology reveals patent portfolio in the US and Europe to improve satellite communications

Posted on: September 21, 2021

5G satellite operator OQ Technology has revealed six pending patent applications in the USA and in Europe that will improve satellite-based IoT and M2M communications in remote locations. OQ Technology’s patent applications include a “wake-up” technology for satellite IoT (Internet of things) devices, IoT device localisation, frequency and timing synchronisation, inter-satellite link technology and satellite

Read more