Social engineering threatens IoT security issues

While the threat of  IoT security issues is apparent, people and the processes they create are often more problematic.

In the early 1990s, Kevin Mitnick was one of the most notorious hackers on the planet. Now, however, he’s a security rockstar — a best-selling author and popular speaker who has recast himself as a trusted adviser to the Fortune 500 and international governments.

Hackers like Mitnick should remind enterprise companies of the human element of hacking. Mitnick has long been an expert in social engineering, which he defines in his book “The Art of Deception” as “getting people to do things they wouldn't ordinarily do for a stranger.” Threat actors have long used social engineering to target traditional computer networks and computing platforms. But the technique is also perilous for enterprise IoT devices, nearly half of which have been breached in the past two years, according to a survey of 400 IT executives from Altman Vilandrie & Co. A post on the Mitnick Security blog, for instance, explains how social engineering was likely used in the Stuxnet attack against the Natanz nuclear facility in Iran. The plant’s network may have been isolated from the public internet, but all it took to launch the attack was for a single worker to plug a USB flash drive into a computer within the facility. Stuxnet, one of the first examples of an IoT-based digital weapon, caused Iranian nuclear centrifuges to fail and reportedly explode in 2010.

“It is common for organizations to focus on technology-based cybersecurity risks while not focusing sufficiently on people and process, both of which are common failure points,” said T.J. Laher, senior solutions marketing manager at Cloudera and host of the Cybersecurity On Call podcast.

A May feature in Harvard Business Review reaches a similar conclusion: “The major sources of cyber threats aren’t technological. They’re found in the human brain, in the form of curiosity, ignorance, apathy, and hubris.” Another recent HBR piece considers the behavioral economics of why executives tend to underinvest in cybersecurity. (Note: Cloudera is sponsoring an HBR webinar on the subject of cybersecurity for the C-suite to be held on Aug. 3.)

Such biases can also create trouble for cutting-edge networks designed to confront IoT security issues posed by networks with thousands or millions of IoT devices, said Ofer Amitai, CEO and co-founder of security startup Portnox. Consider, for instance, intuitive networking, which relies on machine learning and artificial intelligence to facilitate network administration and threat detection. “One of the most impressive aspects of Cisco’s Network Intuitive [platform], for instance, is that it claims to be able to identify malware in encrypted web traffic without the need to decrypt the information and breach privacy,” Amitai said. “However, if this tool is based on network context, it could create space for social engineering and put the network under threat from potentially dangerous malware ‘disguised’ as regular encrypted traffic.” For example a hacker could disguise a phishing campaign so that it resembles regular behavior and actions carried out by employees on the network, thereby easily gaining entry into the network and access to its assets, Amitai added. “Additionally, a hacker could use social engineering to gain access to the network and then send out what look like regular encrypted commands, which are actually network attack verticals. This would fly under the radar of network admins if they aren’t decrypting traffic to check for malware threats.” In addition, an employee with low-level internet etiquette could “miseducate” the network and exposes the organization to cyberthreats. For many enterprises, it may still be too early to automate network access and control to be “intuitive,” Amitai concluded.

[IoT Security Summit, co-located with Blockchain360 and Cloud Security Summit, explores how industry-wide security, privacy and trust can be established to unlock the full potential of IoT.]

Another consideration is that relatively few executives worry sufficiently about IoT security issues. This is often the case for organizations fortunate enough never to have been hacked. “We see buyers who think of security as a cost center who want to achieve as much security as possible at the lowest cost,” Laher said. “But if a CEO has ever been part of an organization that has been hacked before, cybersecurity has a bigger budget. They might even have a blank check,” he explained.

Another common hurdle is that executives think of IoT security issues as external. Many breaches, however, are aided or abetted by people within the company. IBM’s 2016 Cyber Security Intelligence Index reported that 60% of such attacks were from insiders. An example might be an engineer unwittingly deploying an insecure network of IoT devices, or it might be a disgruntled cybersecurity professional.

“We are seeing forward-looking organizations embrace this concept of ‘watching the watcher,’” Laher said. “A lot of cybersecurity professionals are ex-hackers. They were black-hat [hackers] at one point or [hacktivists].”

In the end, the triad of people, process and things is interwoven. “Ultimately, the notion of watching the watcher becomes a technology problem,” Laher noted. “You need to do a complete audit so you can track what everybody is doing and what they are accessing and modifying. You need to have all of your data encrypted and secure so that only one or two people can access it.”

With the explosion of IoT devices, “the future of networking is really more about having visibility to all devices connected to the network in real time and the ability to control and manage them in a way that protects the network,” Amitai said.

Peter Tran, GM and senior director of RSA's Advanced Cyber Defense division, says that it is noble to aim to achieve a perfect triad between people, process and technology, but stresses that it is challenging “given the disparate nature of IoT” and “today’s rush to migrate to the cloud.” “The scales tend to get tipped pretty heavily towards technology when IT and sensors come together,” he said.

This very cool article and other interesting ones can be found at the source.

Source: Internet of Things Institute

Topics: Social Engineering, Speaking Engagements, The Art of Deception, Fortune 500, Cisco, encryption, cyber security, external security, internal security, IoT devices, IT, malware, Mitnick Security blog, USB, cyber attack, decryption, Kevin Mitnick

Latest Posts

Kevin offers three excellent presentations, two are based on his best-selling books. His presentations are akin to technology magic shows that educate and inform while keeping people on the edge of their seats. He offers expert commentary on issues related to information security and increases “security awareness.”

The Growth of Third-Party Software Supply Chain Cyber Attacks

When testing your employees' social engineering readiness, your teams need simulated attacks that feel as if they’re coming from a nefarious engineer...

Read more ›

Bypassing Key Card Access: Shoring Up Your Physical Security

As you build additional layers of defense into your cybersecurity framework, it's important to implement physical security strategies as well.

Read more ›

How to Prioritize Your Pentesting Report’s Remediation Recommendations

If you recently received a penetration test, you’re on the right track to improving your cybersecurity posture. However, you may be wondering what the..

Read more ›