This year is the 75th anniversary of D-Day – the largest amphibious assault in history. This assault probably wouldn’t have been thought of as remotely possible 30 years before it happened, and yet it was arguably a huge success. Why are we talking about World War Two in a cyber security blog, you ask? Because this shift in warfighting was a huge move from the trench warfare of World War One. Towards the end of that conflict, there was a stalemate. Either side was quite literally entrenched in what was effectively a corporate security perimeter (a trench).
Tanks were invented, and rolled over this perimeter, allowing all manner of attack. Since those days, warfare has changed dramatically, as have the technology, tactics, and strategy used to conduct operations.
The same can be said for corporate IT and security. There have been massive changes involving new technologies that ensure employees can work anywhere, businesses can grow easily, and scale quicker than ever before. Whilst many businesses have thrived in this environment, the risk factor has also skyrocketed. With new technology, comes unknown security problems, and the IoT, mobile devices, and cloud technology have opened businesses up to potential attackers.
With all these new technologies, the traditional concept of the entrenched corporate network perimeter no longer exists. As such, in order to mitigate risk, IT leaders need to shift their attitude to security in a completely new direction. There must be a new focus on the new landing grounds, the endpoint, and the challenges associated with it.
Endpoints have become the breach-points for major attacks on the enterprise. A 2017 report revealed 53% of companies had experienced an increase in malware-infected endpoints over the previous 12 months. Like the beaches of Normandy, these outposts have become starting points for ransomware, data stealing raids, crypto-mining malware – and they all begin with targeting the soft underbelly of all corporates: employees.
No wonder, then, that we have seen phishing become the modus operandi for hackers looking to spread malware and harvest credentials to pilfer corporate data. The numbers show that phishing, credential stuffing and brute force attacks have been present in 62% of data breaches between 2018-2019. In addition, there are forms of fileless malware being used to bypass traditional endpoint filters – in the first half of 2018 these types of attacks grew by a whopping 94%.
This means that it is more important than ever to focus cybersecurity resources on improving endpoint protection. However, there is a bigger risk on the horizon – 60% of Black Hat USA attendees interviewed in 2018 claimed that IoT security was a huge concern. Gartner estimates that there will be 20.4 billion connected ‘things’ in use by 2020, seven billion of which will be in operation within businesses. These devices represent a massive expansion of the corporate attack surface – this is made worse by many of them still not being designed with security in mind. Many IoT manufacturers may not even have vulnerability management or software patching processes in place. And yet these endpoints are always on, and connected to the corporate network. Many may not have been officially sanctioned by the IT department. Think about that smart TV in the boardroom – how do you know that it isn’t covertly recording all your meetings?
Spyware isn’t the only threat from exposed IoT endpoints. What about DDoS attacks? The infamous Mirai botnet attacks were made possible because devices were secured with factory-default logins. Devices were hijacked, compromised, and conscripted into botnets. This isn’t even taking into account the potential to conscript those same devices to launch crypto-mining operations, spam campaigns, click fraud, credential stuffing – the list goes on. Whilst the organisation may not be directly impacted from this underhand conscription, the wider implications of this kind of activity is deeply worrying.
The security debt collectors are due
So, what can IT security leaders do? Firstly, do your research on new IoT vendors, and especially their policy on vulnerability management and disclosure. The good news is that the BSI last year introduced a kitemark for IoT and IIoT devices which includes enterprise and ‘enhanced security’ categories. And since then, the UK government has also proposed further legislation to kitemark and label the quality of electronic devices. This should improve baseline security across the board by making it easier for IT buyers to spot the best kit. The National Cyber Security Centre (NCSC) is also doing its bit by providing guidance for developers.
However, the strain on already overstretched IT security teams could still lead to security gaps. The IoT revolution greatly increases the patch workload, while advanced endpoint security features like sandboxing require hands-on expertise to configure and manage effectively. The answer could be managed security services. By outsourcing to a third-party expert, you ensure that even a large and dispersed endpoint estate will be kept up-to-date, correctly configured and securely managed at all times.
SecureData has extensive expertise in monitoring corporate attack surfaces, and has dedicated expert teams ready to alert you, provide best of breed advice and ensure you have the best strategies in place to mitigate the risk associated with connected devices on the business network. Why not drop us a line, and see how we can help?