“Much of what is already out there is unsecured”
Hacking and malware remain the primary vectors for cybersecurity attacks, according to the new Verizon Data Breach Investigations Report, and internet of things security is increasingly top-of-mind in the wake of a number of high-profile breaches late last year.
The 10th annual DBIR found that 62% of breaches relied on hacking, and 51% of them included malware. More than 80% of hacking-related breaches leveraged stolen and/or weak passwords. (The DBIR distinguishes between breaches, where data was confirmed to have been disclosed to attackers, and “incidents” where data was at risk but not lost.) In terms of attackers, 25% of breaches originated with internal actors and 75% were outsiders; 51% involved organized criminal groups, the DBIR found. Financial institutions were the most common target, followed by healthcare and the retail and accommodation industry. The top two motives were financial and cyber-espionage. Ransomware has become a major issue, jumping from the 22nd most common type of malware in the 2014 DBIR to the 5th most common in this year’s report. Web application breaches were the most common, driven by botnet-type attacks; in terms of incidents, denial of service attacks were the most common.
IoT security has been an area of increased concern, with high-profile incidents such as the Mirai botnet attack on domain name service provider Dyn which took down major internet sites such as Twitter, Netflix, Reddit and CNN, among others. At a roundtable discussion during the cybersecurity-focused 2017 RSA Conference in San Francisco (which Verizon Enterprise Solutions set up and documented along with the DBIR), security leaders focused mainly on IoT vulnerabilities and state-sponsored cyber attacks.
“With a huge increase in the number of internet-connected devices, industry and governments are both waking up to the reality that much of what is already out there is unsecured and readily hackable,” Verizon concluded.
Attack case studies included Wi-Fi and IoT
Although mobile attack vectors were not significantly singled out in the DBIR, in the accompanying Data Breach Digest, Verizon laid out a number of anonymized real-world case studies that reflected current network risks. In one instance, a company’s chief security officer noticed “odd behavior” on his laptop and his smartphone after a recent trip. Both the laptop and the smartphone were discovered to have been targeted by malicious software, via a known vulnerability in a third-party Wi-Fi calling app (which he had used to avoid the cost of a phone call home) and a web site advertisement, respectively. Verizon pointed out that international business travelers “frequently are forced to make security compromises when crossing borders. This can take the form of being required to connect to unfamiliar and innocuous Wi-Fi networks in order to access the internet. In other situations, users have to part ways with their laptop systems or smartphones at security checkpoints, and don’t regain possession for what can be several critical minutes. … As temporary custodians of mobile devices have access to more and more sophisticated means of compromising them, we will also need to evolve in terms of our methods of detecting deviances from ‘normal.'”
In an IoT-based security breach at a university campus, student complaints about slow or unavailable internet access led to the discovery of more than 5,000 discrete systems “making hundreds of DNS lookups every 15 minutes. Of these, nearly all systems were found to be living on the segment of the network dedicated to … IoT infrastructure,” according to the case study, written from the point of view of the incident commander. “With a massive campus to monitor, everything from light bulbs to vending machines had been connected to the network for ease of management and improved efficiencies. While these IoT systems were supposed to be isolated from the rest of the network, it was clear that they were all configured to use DNS servers in a different subnet. … This botnet spread from device to device by brute-forcing default and weak passwords. Once the password was known, the malware had full control of the device and would check in with command infrastructure for updates and change the device’s password – locking us out of the 5,000 systems. This was a mess. … We had known repeatable processes and procedures for replacing infrastructure and application servers, but nothing for an IoT outbreak.”
Ultimately, the situation was resolved through a full packet capture set-up that captured the new passwords assigned to the devices and a quickly written new script to turn the tables on the attack, as well as temporarily shutting off all IoT devices’ access to the network.
Verizon concluded that consumers, industry and government must all play a role in better security for IoT: consumers by securing their own networks and devices, and not relying on default passwords; industry, by improving its coding and cryptography; and government, by recognizing the complexity of the security environment and putting smart policy in place that provides incentives for both consumers and industry to play their parts.
Image copyright: aimage / 123RF Stock Photo
