Proactive security strategies to stave off growing cyber-attacks in IoT and credential abuse

The first documented Internet of Things (IoT) cyber-attack took place in 2014, when a smart refrigerator had been caught red-handed for spawning over 750,000 spam emails after being hijacked by a botnet attack. A more recent case in the US concerns an internet-connected thermostat in an aquarium, which hackers successfully controlled to access a database of high-roller gamblers in a casino.

In another case, hackers accessed the company network of an online store through the use of credentials and email accounts from three of its employees. The hackers stole personal information and encrypted passwords of its 145 million users, going undetected for almost 230 days.

However, it’s not just hackers that are responsible for breaches. According to the Office of the Australian Information Commissioner, while 59% of data breaches are from malicious or criminal attacks, 36% are a result of human error from within the business.

Given this ongoing list of reported security breaches and headlines in the press, businesses shouldn’t be asking IF it will happen, but WHEN. Despite this, businesses are falling behind in terms of adopting a proactive security strategy. 

Let us take a deeper look at each of these threat cases in an effort to understand how and why these security incidents are occurring and what businesses can do to mitigate the risk of being the next cybersecurity victim.

Threat Case 1: Security cannot keep up with IoT

Most end-user IoT devices are designed to be lightweight, with limited processing capabilities and almost zero features in terms of security. Hackers are leveraging these IoT devices, as in the case of the smart fridge and fish tank thermostat, to get inside the networks of organisations. They can easily take over or control an IP-enabled device, extract data, and or implant malicious code that opens the backdoor in a system without being noticed.

To make matters worse, there is a rapid proliferation of connected devices or IoT, expecting to grow from the current 8.4 billion to 50 billion by 2020, according to a recent vendor report.

Unfortunately, when security issues are found, it is almost impossible for any organisation to recall its product from the market, nor can it be completely resolved through after-the-fact firmware upgrades or software patches.

To prevent these types of attacks in the future, organisations need to adopt a proactive outlook to security through the use of a cloud network as a defense layer. By creating a secure, authenticated connection between the end-user device and its origin server, businesses can block backdoor vulnerabilities right at the edge, while ensuring patches are done without compromising consumer experience.

Threat Case 2: Automation becomes the loophole for hackers

As Australian businesses continue their digital transformation, more automation is being implemented to improve workflows, efficiencies and overall performance. While more and more organisations are turning to smart devices to improve efficiencies, they sometimes fail to realise these technologies are becoming targets for cyber criminals.

Only recently we saw the Australian eSafety Commissioner warning against the use of voice-activated and smart devices as they’re an easy loophole for hackers. In some cases, the use of voice-activated technologies and AI can allow cyber criminals to access other IoT devices, disable security systems and reveal personal information or sensitive consumer data.

Once this happens, Australian businesses are required to report their data breaches through the mandatory Notifiable Data Breaches scheme, which in turn can have negative impact on an organisation’s reputation.

Threat Case 3: Trust no one, when your users’ credentials can be abused

Time and again, we hear of stories where hackers infiltrated a company’s network to steal customer data through the use of stolen credentials. Too often these types of hacks can go undetected for weeks, even years. According to a recent report, 67% of Australian businesses estimate that 55% of breaches went undetected in the past year. The reason why breaches from credential abuse are less likely to be detected lies with how these attacks are being devised.

Contrary to “brute force” attack types that generate multiple login attempts to the same accounts, credential abuse attacks leverage user names and passwords that have been leaked through data breaches or malicious attacks. What makes these types of attacks so attractive for cyber-criminals is that everyday users tend to use the same login credentials across different sites and devices, including company applications and social media sites.

With credential abuse attacks on the rise and attackers motivated by financial gains, organisations should no longer limit themselves to on-premise security solutions or performing basic security checks, they should look to a multi-layer security approach that is actively hunting and blocking any potential threats.

Threat Case 4: Threats from within the business

More than half of the workers admitted to using company laptop for personal activities, be it online shopping, streaming a movie, or conducting internet banking services. Little are they aware that hackers can be looking behind their backs and injecting malicious codes to their company network along the way.

Further, weak authentication and encryption, poorly managed remote access control, and passwords for contractors and suppliers open backdoors in a company’s firewall and VPN, all leading to monetary losses accumulating to millions. A recent report by the Ponemon Institute and Akamai reveals the average cost of credential stuffing attacks for companies within the Asia-Pacific hitting up to US$28.5 million per year.

With more Australian businesses in the process of digital transformation, companies should consider a structured approach to security. Implement robust access management, protect your data, gain visibility to all devices and users, and actively assess your risk exposure at all times. More importantly, avoid firefighting!

For businesses who are looking to make the first move into developing a proactive security strategy, here’s a quick checklist of questions to get you started in the right direction:

• When is the last time that you have performed a formal security evaluation and assessment of your network?
• How and where are you handling, storing and distributing your intellectual property and R&D data?
• How are you managing access control and passwords for your contractors, remote workers, and suppliers in the ecosystem?

 Remember, it’s not if, but when. How prepared is your business?