There will be 34 billion devices connected to the internet by 2020 – Business Insider
The Internet of Things (IoT) has been a hot topic for a few years. The discussion, however, has focused more on the convenience of having ‘things’ like televisions, refrigerators, and cars connected to the Internet—rather than on their security. Cybersecurity expert Charles Tendell contends this is because we don’t think as much about the security of our appliances, vehicles, and other personal devices as we do about the security of workplace data and systems.
What we fail to realize, though, is that attackers who gain access to a device like an internet-enabled TV can use it to collect information about what we watch and then sell our data to companies. Or worse, they can use that device to infect our home network and get into other devices like a work laptop.
That’s where STEALTHbits’ Director of Product Management, Brad Bussie, CISSP comes into the conversation. Tendell asks Bussie, a fellow information security veteran, for tips on how organizations and individuals can protect themselves from cyberattack. Bussie offers three main recommendations. Use them to better safeguard your credentials and data.
According to Bussie, the European Union’s General Data Protection Regulation (EU GDPR) is a major step toward holding businesses accountable for protecting consumer information. Organizations anywhere in the world that handle the data of EU citizens have to comply with the regulation by May 25, 2018 or be fined 2%-4% of their annual revenues. Similar legislation may be coming to the US in the wake of large-scale breaches like Yahoo! and LinkedIn, which affected millions of users.
Companies can prepare by taking these pragmatic steps to better protect consumer data:
- Implementing a Data Access Governance program to reduce their amount of data, and access to that data, to the lowest possible levels
- Cleaning-up toxic conditions in Active Directory like stale users and nested groups and closing Active Directory and Operating Systems security gaps
- Monitoring changes and activities in the IT environment in real-time to block malicious or unintended changes before they do harm
Consumer Device Identities
Public and commercial sector organizations have long used Identity and Access Management (IAM) solutions to control access to applications based on users’ ‘electronic identities.’ Consumers can adopt a similar approach by ensuring that their device identities (e.g. mobile phones, iPads, internet-enabled appliances, etc.) are properly patched and use strong, unique passwords—or even new technologies like LastPass.
Individuals also need to understand the apps on their devices. For example, Uber has a setting that allows the company to track people’s locations even when they are not using its service. Uber employees, or attackers able to steal data from Uber, don’t need to know an individual’s whereabouts. Consequently, it’s best not to enable settings that give companies ‘God-like’ data access.
The Internet of Things, when misused, is a threat to public infrastructure. Think of the attacker who uses a device to disrupt 911 emergency services, or the bad actor who infects a hospital with ransomware, holding its data, systems, and people’s lives hostage. Even countries are using devices to wage cyberwar like Russia did against neighboring Georgia.
Bussie and Tendell say, ‘We’ve literally reached the point where we can ‘keystroke people to death.’ Or, on the flip side, save lives by preventing a terrorist group from mobilizing through shutting down its operations. Our elected officials will have to think through these tough issues as they develop the U.S. cybersecurity plan.
With the explosion of IoT devices and cyberattacks, one thing is for certain; information security professionals will have plenty to do. Just as shows like CSI made forensics cool, now high-profile hacking incidents like U.S. election interference have brought cybersecurity professionals to the forefront of policy-making. With this recognition, comes the responsibility to make the world a safer place.
Don’t miss a post! Subscribe to The Insider Threat Security Blog here:
Tuula Fai is the Senior Marketing Director of StealthAUDIT at STEALTHbits. For the past 20 years, she has worked in a variety of roles within the software industry, starting as a developer and implementation engineer before moving into product marketing and digital campaigns. Having worked in both customer service and human resources, she is passionate about safeguarding customer and employee data as part of overall security initiatives. She graduated Summa cum Laude from Georgetown with an MBA in marketing and IT, and has won two technology marketing awards. You can find her running and writing in the Rocky Mountains of Colorado.