In the early 1990s, Kevin Mitnick was one of the most notorious hackers on the planet. Now, however, he’s a security rockstar — a best-selling author and popular speaker who has recast himself as a trusted adviser to the Fortune 500 and international governments.
Hackers like Mitnick should remind enterprise companies of the human element of hacking. Mitnick has long been an expert in social engineering, which he defines in his book “The Art of Deception” as “getting people to do things they wouldn't ordinarily do for a stranger.” Threat actors have long used social engineering to target traditional computer networks and computing platforms. But the technique is also perilous for enterprise IoT devices, nearly half of which have been breached in the past two years, according to a survey of 400 IT executives from Altman Vilandrie & Co. A post on the Mitnick Security blog, for instance, explains how social engineering was likely used in the Stuxnet attack against the Natanz nuclear facility in Iran. The plant’s network may have been isolated from the public internet, but all it took to launch the attack was for a single worker to plug a USB flash drive into a computer within the facility. Stuxnet, one of the first examples of an IoT-based digital weapon, caused Iranian nuclear centrifuges to fail and reportedly explode in 2010.
“It is common for organizations to focus on technology-based cybersecurity risks while not focusing sufficiently on people and process, both of which are common failure points,” said T.J. Laher, senior solutions marketing manager at Cloudera and host of the Cybersecurity On Call podcast.
A May feature in Harvard Business Review reaches a similar conclusion: “The major sources of cyber threats aren’t technological. They’re found in the human brain, in the form of curiosity, ignorance, apathy, and hubris.” Another recent HBR piece considers the behavioral economics of why executives tend to underinvest in cybersecurity. (Note: Cloudera is sponsoring an HBR webinar on the subject of cybersecurity for the C-suite to be held on Aug. 3.)
Such biases can also create trouble for cutting-edge networks designed to confront IoT security issues posed by networks with thousands or millions of IoT devices, said Ofer Amitai, CEO and co-founder of security startup Portnox. Consider, for instance, intuitive networking, which relies on machine learning and artificial intelligence to facilitate network administration and threat detection. “One of the most impressive aspects of Cisco’s Network Intuitive [platform], for instance, is that it claims to be able to identify malware in encrypted web traffic without the need to decrypt the information and breach privacy,” Amitai said. “However, if this tool is based on network context, it could create space for social engineering and put the network under threat from potentially dangerous malware ‘disguised’ as regular encrypted traffic.” For example a hacker could disguise a phishing campaign so that it resembles regular behavior and actions carried out by employees on the network, thereby easily gaining entry into the network and access to its assets, Amitai added. “Additionally, a hacker could use social engineering to gain access to the network and then send out what look like regular encrypted commands, which are actually network attack verticals. This would fly under the radar of network admins if they aren’t decrypting traffic to check for malware threats.” In addition, an employee with low-level internet etiquette could “miseducate” the network and exposes the organization to cyberthreats. For many enterprises, it may still be too early to automate network access and control to be “intuitive,” Amitai concluded.
[IoT Security Summit, co-located with Blockchain360 and Cloud Security Summit, explores how industry-wide security, privacy and trust can be established to unlock the full potential of IoT. Get your ticket now.]
Another consideration is that relatively few executives worry sufficiently about IoT security issues. This is often the case for organizations fortunate enough never to have been hacked. “We see buyers who think of security as a cost center who want to achieve as much security as possible at the lowest cost,” Laher said. “But if a CEO has ever been part of an organization that has been hacked before, cybersecurity has a bigger budget. They might even have a blank check,” he explained.
Another common hurdle is that executives think of IoT security issues as external. Many breaches, however, are aided or abetted by people within the company. IBM’s 2016 Cyber Security Intelligence Index reported that 60% of such attacks were from insiders. An example might be an engineer unwittingly deploying an insecure network of IoT devices, or it might be a disgruntled cybersecurity professional.
“We are seeing forward-looking organizations embrace this concept of ‘watching the watcher,’” Laher said. “A lot of cybersecurity professionals are ex-hackers. They were black-hat [hackers] at one point or [hacktivists].”
In the end, the triad of people, process and things is interwoven. “Ultimately, the notion of watching the watcher becomes a technology problem,” Laher noted. “You need to do a complete audit so you can track what everybody is doing and what they are accessing and modifying. You need to have all of your data encrypted and secure so that only one or two people can access it.”
With the explosion of IoT devices, “the future of networking is really more about having visibility to all devices connected to the network in real time and the ability to control and manage them in a way that protects the network,” Amitai said.
Peter Tran, GM and senior director of RSA's Advanced Cyber Defense division, says that it is noble to aim to achieve a perfect triad between people, process and technology, but stresses that it is challenging “given the disparate nature of IoT” and “today’s rush to migrate to the cloud.” “The scales tend to get tipped pretty heavily towards technology when IT and sensors come together,” he said.