Modification of default device passwords, which can facilitate brute force attacks or improper access by factory credentials.
A new router or IP camera that is installed on the network, will come with a default credentials that are easy to find out, or are public on the Internet.
Proof of this are attacks from malware to IoT, where “75% is due to abuse of Telnet credentials, attacks with dictionaries of known passwords, and unmodified” *.
*KARPESKY / New trends in the world of IoT threats (sep. 2018)
IoT devices in the company:
safety and protection gaps
Implementing IoT devices within the company means going beyond technical needs and paying special attention to the level of protection against attacks that may affect the privacy of data, the company and its customers, or prevent the proper functioning of its business.
Cyberattacks on IoT, a threat to consider
In view of the increase in vulnerabilities in this type of device, we must take into account technical needs and consider the level of protection against attacks that can obtain private data from the company or its customers as something vital.
According to one of Trend Micro‘s latest reports, 63% of companies say that “IoT-related threats have increased in the last year (2018)”.
Many IoT devices do not incorporate safety as a basic element in their design, manufacture and life cycle
IoT devices in the company: yes but with cybersecurity guarantees
The organizations that connect to their networks devices IoT (Internet of Things) or IIoT (Industrial Internet of Things) must take into consideration the importance of armoring the security of the same, through:
- Correct dimensioning and strengthening of the network where the devices are connected.
- Analysis and personalized configuration of the same.
- Implementation of endpoint control policies or firewalls to monitor the traffic and activity of each one of them.
- Design of incident management plans, as well as monitoring systems and control of any possible security breach.
Aware of this reality, 40% of companies* consider it necessary to have encryption mechanisms and secure authentication of devices, as well as more anti-malware tools.
* THALES/Thales Data Threat Report (2019).
CISOs must ensure security in the deployment of IoT devices in the corporate network
The Digital Transformation of the company, especially in the industry, has led to a digitization and automation of production and management processes, leading to the massive deployment of IoT devices.
This reality presents a new challenge to the CISOs of any company that must analyze vulnerabilities and establish appropriate policies to prevent possible scenarios of attack. They must protect all their resources, especially when they can serve as a gateway to gather confidential information about the organization itself or its customers.
Those IoT, IIoT (Industrial Internet of Things) or IoMT (Internet of Medical Things) devices that handle or obtain private data, for example, RFID, identification or presence devices, would be affected by the new application of the RGPD regulation and the processing of personal data that can be carried out through them.
Low-cost devices or that do not consider security as a model of design, manufacture and use, are the most vulnerable element today.
Typical scenarios for protecting an IoT network from attacks:
These scenarios serve to put into context the need to use tools and methodologies that allow us to control, through inventory and vulnerability management platforms, all the IoT assets at our disposal.
There are many endpoint protection tools that facilitate this task, but it is necessary to apply an exhaustive control of the networks to which they are connected, as well as a crash plan when a vulnerability is detected that has been exploited, since using only VPNs or segmenting the network is not enough.
GRC platform for the integral management of IT processes and information security in terms of regulatory compliance and established standards: RGPD, ENS, SGSI based on ISO 27001, as well as ITIL and ISO 20000, in the area of service management. Integration with PILAR and LUCIA.