Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

For cybercriminals, IoT devices are big business, part two

In part one of this article, Anthony Giandomenico described how cybercrime has become not only a business, but a big business, designed to generate revenue with predesigned attacks focused on attack vectors that are easy to exploit: IoT devices.

Opportunity is also the land of innovation

Because cybercriminals are focusing more on attacks that target critical infrastructure based on new, interconnected technologies, they don’t have to spend enormous resources and development cycles on figuring out how to break into these systems using complex zero-day attacks. Instead, they can spend more of their resources on making their exploits more difficult to detect, more effective by introducing things like worm capabilities to spread infections further and faster, adding multivector capabilities in order to run exploits on a wider range of vulnerable systems, and developing intelligent, multilayered malware that provides a lot of options for stealing data or compromising systems.

The recent WannaCry and NotPetya ransomworm exploits were remarkable not only for how fast they spread, but also for their ability to target a wide range of infrastructures and industries. But the dirty little secret about these attacks is that they could have been entirely prevented if IT folks simply practiced good network hygiene. That’s because these attacks targeted a vulnerability for which a critical patch had already been issued months earlier. Most organizations that were spared from these attacks had one thing in common: They had simply applied the security patch from Microsoft when it was released.

Here at Fortinet, we refer to these sorts of attacks as “hot exploits.” Cybercriminals know from experience that many organizations simply don’t have the time, resources or initiative to patch vulnerable systems. So they build effective exploits and they wait. WannaCry proved that. And NotPetya proved that even after a large attack managed to exploit a well-known vulnerability, far too many organizations were still unlikely to patch their systems. Catch me once, shame on you. Catch me twice…

Our FortiGuard threat analysis team sees this all the time. Nearly every week we record several attacks successfully targeting vulnerabilities for which patches have been available for months — and often, even years. In fact, our latest quarterly threat report showed that the average age of a known vulnerability that is successfully targeted by an exploit because it wasn’t patched is five years. Seriously.

Everything is connected to everything

And now, as infrastructures becomes more interconnected and begin to adopt new, cutting-edge technologies, the risk is being compounded. Windmills and unpatched operating systems are just the tip of the iceberg. Smart cities are beginning to interconnect energy grids, traffic control, emergency response systems and other critical infrastructure resources and services into a giant, integrated web. Smart cars are run using onboard computers that are increasingly able to make split-second, autonomous decisions. But they are also soon going to connect your car to your financial system in order to automatically pay for things like fuel, tolls, onboard Wi-Fi and streaming entertainment. Smart buildings managed by huge property management conglomerates are being designed with automated heating and cooling systems, lighting, secure access doors and smart elevators that can recognize tenants and deliver them to the appropriate floor. And building supervisors will manage all of this remotely.

The list goes on and on: smart homes, smart appliances, interactive gaming and entertainment systems, online security systems and monitors, interactive and intelligent mall kiosks, online medical consultation and even surgery using remotely controlled tools are all either here now or just over the horizon.

Security isn’t just a good idea — it may soon be the law

Because many of these manufacturers have failed to implement necessary security into their devices, it’s like we have handed the cybercriminal community our ATM cards and PINs because they don’t have to figure out how to bypass security or crack open a hardened operating system. Instead, in the rush to push out new technologies to enterprises and consumers — and even critical infrastructure systems — with little to no security attached, that job has been done for them.

While security devices and strategies can go a long way towards protecting organizations and individuals, security developers can’t solve this problem alone. IoT manufacturers have a role to play, and unfortunately, many have traded responsibility for expediency. The clock is ticking, however. The next step will be to hold manufacturers accountable for selling solutions that can be easily exploited.

Recently, U.S. Senators Mark R. Warner (D-VA) and Cory Gardner (R-CO), co-chairs of the Senate Cybersecurity Caucus, introduced a new bipartisan bill known as the “Internet of Things (IoT) Cybersecurity Improvement Act of 2017.” This bill prescribes that devices purchased by the U.S. government must meet minimum security requirements, and that vendors who supply the U.S. government with IoT devices have to ensure that their devices are patchable, do not include hard-coded passwords that can’t be changed and are free of known security vulnerabilities, as well as other basic security requirements.

California’s recent Senate Bill 327 would go much further by codifying the State of California’s ability to bring enforcement complaints against companies that do not build adequate security safeguards into their devices. This law has teeth, and because California is such a massive economy, its passage could significantly impact the entire IoT industry.

Such regulatory scrutiny and legislative action targeting the data security of IoT devices is likely to continue to grow, because the alternative is to continue to feed the growing cybercriminal economy. IoT device manufacturers need to prepare now to either develop security standards or conform to legislation in order to avoid massive market disruptions and consumer mutinies. Because the digital economy will continue to move forward, with or without them.

All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

I love Windows 8, and I have bootable linux on my usb stick, but I don't think it's going to be much of a benefit for mobile users. Great for IT guys who want to rescue data from a corrupt installation though :)
this poll is strange, of course it will simplify my life, if I can manage to make one. ;)
For Some Mobile Users, WTG will be revolutionary for others less so. For some it will enable open seating models and save office space, for others it will allow them to work outside the enterprise - think call centers. For some it will simply be disaster recovery - snow storm coming? Take your drives home. Instead of deploying 80 notebook computers, deploy 80 flash drives and enable your team to keep working.
The idea behind the "CLOUD" is any device, anywhere....you should have the IDENTICAL EXPERIENCE wherever, whatever device...This is what will make Windows 8 the BEST, no stopping it....
P.S., Of course there's a way to lock down the forest from peeping eyes.....and you're a moon (i.e., put an "R" in the middle) if you spout your "the sky is falling" nonsensical "lack of security" BS.....the lack of security=lack of knowledge....go back to school and get a degree in computer science you moon.
I'd never let a 3rd party put any kind of USB drive into one of our PCs and would expect no less the other way round.
Opens up some very strong optio s for how mobile workers do business.
No, Windows to Go will be a detriment to businesses and employees as companies have increased security breaches due to lost and/or insecure drives.
To many of my users lose or forget their memory sticks
How is this any different than using existing software like universal usb installers and unetbootin to load images from usb sticks?
because i use linux. fuk bill gates.
There are already many much better on the go linux distributions available...and at no cost. Chrome on USB also has the advantage that your data is automatically synced to all your devices
Because, you twit. It's windows not ios
We do not have mobile user or application vurrently on live
We have concerned about the security.
it needs usb 3 to be fast enough, most of my home user pcs dont have usb 3