The Verkada infiltration and resulting exposure of sensitive and embarrassing video from software firms, auto manufacturers, law enforcement and healthcare facilities brings home the risks associated with internet-connected devices. The Internet-of-things (IoT) is not limited to consumer-grade household devices, but mission critical surveillance systems, patient management, heavy machinery control, and so on. As companies adopt these technologies as a means of optimizing their operations, it's imperative that they understand the risk and take measures to mitigate them.

 

And vendors need to understand the obligations and particular risks of their clients. Vendors also need to assume they are a target of cybercrime as a means to an end, including infiltrating or damaging their intended targets. In an interconnected world, you are only as strong as the weakest link. Security is more than a promissory statement about intention, or boilerplate content on a website. Zoom learned that when the FTC came calling after marketing collateral outpaced its technical capabilities. This event might be more misdemeanour than felony. The stakes are too high for checkbox approaches to security. The SolarWinds attack demonstrated criminal behavior capable of infiltrating a vendor, infecting its source code, and covering their tracks. And even video surveillance files expose confidential information and manufacturing secrets that can be resold and undermine the value of a specific business, or damage the country's ability to compete on a global stage.

 

Industrial IoT requires the same care and attention as the traditional, unconnected counterparts. Safety standards and laboratory focus on physical risks like injury. Take for example an electrical appliance. Devices are classified by risk, and labels provide clear warnings to the user about safe operation. Where is the same standard for the cyber risks? We need to develop a system that classifies cyber risk and mandates specific controls and safety features to mitigate these risks. This includes access to source code and cloud services with super admin credentials. Security controls exist today to restrict access to critical systems, and provide time windows and task-based access that tracks access and reduces the risk of hyper-access infiltration and resulting breaches.

  Read Less

We’ve seen opportunistic criminal leveraging of natural disasters before, for example with 2012 Hurricane Sandy. During the storm, we saw a 30 percent drop in wen traffic in our New York and eastern seaboard customers, with an equivalent increase in malicious traffic. With tunnels flooded, criminals knew banks and financial institutions were crippled and ripe for attack. And more recently, we have seen thousands of attacks against the medical facilities we protect. These attacks leverage the response to Covid-19 as means of increasing the likelihood of success. Cybercriminals are adept at using chaos and confusion as the smokescreen in which to move with stealth, speed, and impunity. In the case of Covid-19, there is no end to the amount of fraudulent and weaponized coronavirus apps, malicious documents, fake websites, and texts. The CryCrypto attack shows a level of surveillance on the part of criminal elements, attuned in real-time to government pandemic responses, and their agility when it comes to creating rapid malware campaigns. This sort of campaign is extremely dangerous. It masquerades as a legitimate app, distributed by a trusted source (in this case, the Canadian government). For this reason, many people could fall prey to this attack. It also drives home the fact that platform vendors play a role in securing their ecosystem with rigid app verification and validation. On a larger scale, it begs questions around the broader privacy and security issues of macro-population tracking, but should also spur people to consider how readily they are willing to surrender personal and potentially costly information on a daily basis. We all too easily surrender our privacy with the click of “I agree”, and then buy back our personal information in the form of products aligned to our searches, preferences, and social media brags. It’s a laissez fair approach on the side of the consumer. In this case, the blind click could be costly in terms of ransomware. As the stakes of cyber fraud increase, legislators and lawmakers must address the accepted view of “click” rights, when we all know that very few people actually read the terms and conditions. It’s time for government, vendors, and consumers to wake up the risks, and take measures to counter cyberattacks like CryCrypto. Cybercriminals employ many tricks to tempt users to install malware on their devices. An exceedingly popular technique is the use of phishing attacks where users/victims are tricked into executing malicious payloads to gain access and control of a victims' device. Once an attacker has control, there are a number of ways they will monetize this access. One of the more popular ways cybercriminals monetize this control is through the use of ransomware where victims' personal information is encrypted and held hostage until a ransom bounty is paid.  Read Less

Throughout 2019, eSentire has observed numerous instances of mid-sized organizations being targeted using tools specific to their industry, and this approach will continue into 2020. Phishing emails related to common industry tools or masquerading as trusted sources will be a common attack vector for stealing credentials and sensitive information. For example, phishing lures unique to the legal industry will use avenues, including cloud services, from vendors such as Adobe, to access to stores of sensitive information, and credit vendors, like American Express, to gain short-term access to personal and/or company credit accounts. Access to personal or organization emails can lead to the theft of sensitive information. It can also aid attackers in crafting more familiar and friendly-looking lures for spear (targeted) phishing. As this trend towards microtargeting continues, organizations need to ensure they have technical controls in place to detect these threats and also ensure they have a robust security education program in place for their employees.  Read Less