Unsecured IoT Presents a Significant RiskSpeaking specifically to IoT – while the intent of these devices is to increase productivity, streamline information gathering, and provide convenience and luxury in the digital age, many of these devices suffer from security risks that range from simply absurd to end-of-life, including:
- Devices that have the same password and cannot be changed. This is the case in the Mirai botnet successfully used in cyberattacks against the United States, France, and Liberia.
- Products that are older, end-of-life, and no longer receive security updates, like Windows XP and Windows Server 2003, and that are still used worldwide.
- Critical infrastructure, like power generation, election systems, and 911 systems that are vulnerable to modern attacks due to age or flaws in other devices that can outages like Distributed Denial of Service (DDOS) attacks.
- Consumer and business-class products that have not been properly secured via passwords, security updates and patches, or even guest access.
Recommendations That the Trump Administration Should Consider Immediately
- Engage the Federal Trade Commission (FTC) and independent bodies, like Underwriters Laboratory (UL Listing), to establish minimum standards for security a device must adhere to when connected to the Internet. We all trust that plugging an appliance in to an outlet will not cause a fire, so why not establish that a device connected to the Internet will not create a cybersecurity risk? As businesses and consumers we have no idea if these devices are safe and we need to establish guidelines that manufacturers need to follow. These technologies, in many cases, are in their infancy and we need to address the risks now before it becomes too late.
- Enforce that end-of-life products be removed and properly disposed of across all government agencies and critical infrastructure. Some power generation utilities are still running operating systems like Windows NT 4.0 and are unable to be updated, so they should be replaced due to current regulations and cost of replacement. These systems represent a massive risk to our critical infrastructure, but we have adopted a “band-aid” approach of tools and segmentation to contain the issue. This is not sustainable. We need to move forward and remove these legacy systems, plan for new ones, and remediate the risks just like fixing aging bridges and roadways.
- Modernize the penalties for cybersecurity, and create a new industry. Our laws for cybersecurity attacks are grossly inadequate and based on whether the attack involves financial theft or intellectual property. Remember when Napster and BearShare allowed the free downloading of music without paying royalties? Today, the sharing of music illegally is well understood as a crime, and whole businesses like Apple iTunes and Spotify have been built around the legal distribution of music to manage the end user demand. Illegal cyber activity can be turned into capitalism legally if we address the crimes correctly and provide businesses a vehicle to thrive on the activity. For example, it is currently illegal to hack back if you are being attacked. Why? An entire business of offensive cybersecurity technology could be spawned if businesses could fight back and bring the cyber war back to the black hats doorstep if they try to breach a company.
Morey J. Haber, Chief Technology Officer and Chief Information Security Officer at BeyondTrust
Morey J. Haber is Chief Technology Officer and Chief Information Security Officer at BeyondTrust. He has more than 25 years of IT industry experience and has authored four Apress books: Privileged Attack Vectors (2 Editions), Asset Attack Vectors, and Identity Attack Vectors. In 2018, Bomgar acquired BeyondTrust and retained the BeyondTrust name. He originally joined BeyondTrust in 2012 as a part of the eEye Digital Security acquisition. Morey currently oversees BeyondTrust strategy for privileged access management and remote access solutions. In 2004, he joined eEye as Director of Security Engineering and was responsible for strategic business discussions and vulnerability management architectures in Fortune 500 clients. Prior to eEye, he was Development Manager for Computer Associates, Inc. (CA), responsible for new product beta cycles and named customer accounts. He began his career as Reliability and Maintainability Engineer for a government contractor building flight and training simulators. He earned a Bachelor of Science degree in Electrical Engineering from the State University of New York at Stony Brook.