Unsecured IoT Presents a Significant RiskSpeaking specifically to IoT – while the intent of these devices is to increase productivity, streamline information gathering, and provide convenience and luxury in the digital age, many of these devices suffer from security risks that range from simply absurd to end-of-life, including:
- Devices that have the same password and cannot be changed. This is the case in the Mirai botnet successfully used in cyberattacks against the United States, France, and Liberia.
- Products that are older, end-of-life, and no longer receive security updates, like Windows XP and Windows Server 2003, and that are still used worldwide.
- Critical infrastructure, like power generation, election systems, and 911 systems that are vulnerable to modern attacks due to age or flaws in other devices that can outages like Distributed Denial of Service (DDOS) attacks.
- Consumer and business-class products that have not been properly secured via passwords, security updates and patches, or even guest access.
Recommendations That the Trump Administration Should Consider Immediately
- Engage the Federal Trade Commission (FTC) and independent bodies, like Underwriters Laboratory (UL Listing), to establish minimum standards for security a device must adhere to when connected to the Internet. We all trust that plugging an appliance in to an outlet will not cause a fire, so why not establish that a device connected to the Internet will not create a cybersecurity risk? As businesses and consumers we have no idea if these devices are safe and we need to establish guidelines that manufacturers need to follow. These technologies, in many cases, are in their infancy and we need to address the risks now before it becomes too late.
- Enforce that end-of-life products be removed and properly disposed of across all government agencies and critical infrastructure. Some power generation utilities are still running operating systems like Windows NT 4.0 and are unable to be updated, so they should be replaced due to current regulations and cost of replacement. These systems represent a massive risk to our critical infrastructure, but we have adopted a “band-aid” approach of tools and segmentation to contain the issue. This is not sustainable. We need to move forward and remove these legacy systems, plan for new ones, and remediate the risks just like fixing aging bridges and roadways.
- Modernize the penalties for cybersecurity, and create a new industry. Our laws for cybersecurity attacks are grossly inadequate and based on whether the attack involves financial theft or intellectual property. Remember when Napster and BearShare allowed the free downloading of music without paying royalties? Today, the sharing of music illegally is well understood as a crime, and whole businesses like Apple iTunes and Spotify have been built around the legal distribution of music to manage the end user demand. Illegal cyber activity can be turned into capitalism legally if we address the crimes correctly and provide businesses a vehicle to thrive on the activity. For example, it is currently illegal to hack back if you are being attacked. Why? An entire business of offensive cybersecurity technology could be spawned if businesses could fight back and bring the cyber war back to the black hats doorstep if they try to breach a company.
Morey J. Haber, Chief Security Officer at BeyondTrust
Morey J. Haber is the Chief Security Officer at BeyondTrust. He has more than 25 years of IT industry experience and has authored three books: Privileged Attack Vectors, Asset Attack Vectors, and Identity Attack Vectors. He is a founding member of the industry group Transparency in Cyber, and in 2020 was elected to the Identity Defined Security Alliance (IDSA) Executive Advisory Board. Morey currently oversees BeyondTrust security and governance for corporate and cloud based solutions and regularly consults for global periodicals and media. He originally joined BeyondTrust in 2012 as a part of the eEye Digital Security acquisition where he served as a Product Owner and Solutions Engineer since 2004. Prior to eEye, he was Beta Development Manager for Computer Associates, Inc. He began his career as Reliability and Maintainability Engineer for a government contractor building flight and training simulators. He earned a Bachelor of Science degree in Electrical Engineering from the State University of New York at Stony Brook.