In early March, a Swiss hacktivist by the name of Tillie Kottman successfully exposed businesses, police departments, schools, jails and hospitals in one of the most widespread cyber attacks in modern history, says Chris Rouland, founder and CEO of Phosphorus. How did they do it?
By hacking into nearly 150,000 Verkada security cameras set to their default security settings. Kottman took credit for the attack as an illustration of how easy it is to compromise these types of Internet of Things (IoT) devices and exfiltrate data and other valuable information.
The scary part when it comes to IoT security is that video cameras are just one example of the litany of new attack surfaces hackers have available to exploit. Moreover, organisations and enterprises are not only unaware that their IoT devices are vulnerable to these types of widespread attacks. Most of them are not even aware of most IoT devices on their network.
IoT devices are now so ubiquitous they can be installed for almost any mundane function and security officers would have no idea that they’re there. For example, a maintenance worker might install an IoT monitoring device on a set of doors to sound an alarm if the premises were breached. Little do they know by connecting that device, it could compromise the entire network if hacked.
As organisations’ ecosystems of IoT devices continue to grow at an unknown rate, every chief information and security officer (CISO) is currently being asked what they are doing to protect against IoT security breaches. The short answer is that they must adopt new strategies and policies to ensure hackers do not gain access to their valuable data, but they may not know what those strategies are or how to implement them.
Here are a few strategies to get CISOs started:
Follow basic cyber hygiene practices
The appearance of default credentials on IoT devices is a common mistake made by many vendors, and Verkada is certainly not the only IoT vendor with this problem, they were just the most recent one to be caught. The use of hardcoded administrative credentials and passwords, combined with a lack of a secure credential repository and privileged access management, made it easy for Tillman and their group to access a vast amount of real-time, sensitive video with only a few clicks.
By conducting basic, scalable security hygiene to protect IoT devices such as inventory, patching and credential management this intrusion could have been avoided. The new IoT Cybersecurity Improvement Act now mandates the changing of default credentials on IoT devices and sets strict password policies that apply to humans and all embedded devices.
Taking security measures a step further, as connected devices multiply, organisations will need to automate firmware and patching against IoT’s most critical vulnerabilities. By automating security, organisations can remove software bugs, malicious code, and increase performance of devices all positive things that improve security.
Adopt a zero trust approach to IoT
Given that most organisations are not aware of all of the IoT devices connected to their network, moving towards a Zero Trust model for IoT security is ideal for avoiding ungranted access to a network. Zero Trust is a well-established framework for network security that is centred around the premise that organisations should not automatically trust any device, inside or outside the network, with access credentials.
Even when a network administrator logs into the network, it requires two-factor authentication in an effort to reduce spoofing or unauthorised access. Once logged in, each device and the associated business use of that device is constantly checked and rechecked for changes to its inherent trust every time it tries to access data.
The same framework should apply for IoT devices, especially considering the general lack of awareness surrounding the number of devices and how easy they are to hack when set to default settings.
Take ‘secure device’ promises with a grain of salt
When it comes to security, end users should remain vigilant even when working with trusted vendors. Buying IoT devices from reputable sources with a strong track record of high security standards and ensuring your vendor hasn’t been banned in the U.S. is a must.
There is also plenty that end users can do to increase their security posture if they’re unsure of a device’s security. A first step in securing device deployments is to automate the application of unique credentials and password rotation.
When IoT devices roll out, it’s often thousands or tens of thousands of devices at one clip. Using automated tools for inventory, patching and credential management helps IT teams keep pace without being overwhelmed.
With these approaches to IoT security, CISOs can take proactive measures to prevent their organisation making headlines as the next victim of this type of seamless hacking. By taking steps now to inventory, patch and monitor the devices which have access to their systems, CISOs will be able to move forward with confidence that their information and ecosystems are both secure.
The author is Chris Rouland, founder and CEO of Phosphorus.
About the author
Chris Rouland is founder and CEO of Phosphorus. He is a renowned provider in cybersecurity innovation and has founded several multi-million dollar companies, including Bastille, the company to enable assessment and mitigation of risks of the Internet of Radios, and Endgame, a provider in endpoint security. He was also chief technology officer and “distinguished engineer” for IBM and director of the X-Force for Internet Security Systems. Chris holds more than 20 patents and a Masters’ Degree from the USA’s Georgia Institute of Technology.