lolloj - Fotolia
How IoT, 5G, RPA and AI are opening doors to cybersecurity threats
In the second part of a series on CIOs preparing for cyberthreats in 2020, we look at how emerging technologies like IoT and the cloud became vulnerable to cyberattacks in the last year.
"You can't say civilization don't advance... in every war they kill you in a new way." - Will Rogers
Software is eating the world. Cloud, RPA and AI are becoming increasingly common and a necessary part of every business that wishes to thrive or survive in the age of digital transformation, whether for lowering operational costs or to remain in the competition. But as we increasingly digitalize our work, we're opening new doors for cybersecurity threats. Here, we dive into the technological advancements in the past year to learn how we can use those progresses without getting burnt.
From office devices to home appliances, our "anytime, anywhere" needs require every peripheral to connect to the internet and our smartphones. But simultaneously, the new IT landscape has created a massive attack vector. SonicWall's Annual Threat Report discovered a 217% increase in IoT attacks, while their Q3 Threat Data Report discovered 25 million attacks in the third quarter alone, a 33% increase that shows the continued relevance of IoT attacks in 2020.
IoT devices collect our private data for seemingly legitimate purposes, but when a hacker gains access to those devices, they offer the perfect means for spying and tracking. The FBI recently warned against one such example of the cybersecurity threat concerning smart TVs, which are equipped with internet streaming and facial recognition capabilities.
As governments increasingly use cyberattacks as part of their aggressive policies, the problem only gets worse. IoT devices were usually exploited for creating botnet armies to launch distributed denial-of-service attacks, but in April 2019, Microsoft announced that Russian state-sponsored hackers used IoT devices to breach corporate networks. The attackers initially broke into a voice over IP phone, an office printer and a video decoder and then used that foothold to scan for other vulnerabilities within their target's internal networks.
Some of the hacks mentioned above were facilitated because the devices were deployed with default manufacturer passwords, or because the latest security update was not installed. But with the IoT rush, new cybersecurity threats and attack vectors emerge. "When new IoT devices are created, risk reduction is frequently an afterthought. It is not always a top priority for device makers to create security measures since no initial incentive is seen due to a lack of profit," warned Hagay Katz, vice president of cybersecurity at Allot, a global provider of innovative network intelligence and security solutions. "Most devices suffer from built-in vulnerabilities and are not designed to run any third-party endpoint security software. For many consumers, cybersecurity has been synonymous with antivirus. But those days are long gone," he said.
To fight against the new cybersecurity threats, Katz recommended turning to a communications service providers (CSP). "Through machine learning techniques and visibility provided by the CSP, all the devices are identified. A default security policy is then applied for each device and the network is segregated to block lateral malware propagation. By simply adding a software agent on the subscriber's existing consumer premise equipment, CSPs can easily roll out a network or router-based solution that protects all the consumer's IoT devices."
We also need to consider whether we really need an IoT version of everything. In the words of Ryan Trost, co-founder and CTO of ThreatQuotient who has over 15 years of security experience focusing on intrusion detection and cyber intelligence: "I can appreciate the benefits of every single student having a tablet (or equivalent) for schooling. However, I struggle to find the legitimacy of why my refrigerator needs an Internet connection, or for that matter, a video conferencing feature."
While the next generation network takes AI, VR and IoT to new levels, it's also creating new problems. "5G utilizes millimeter waves, which have a much shorter range than the conventional lower-frequency radio waves. This is where the source of the greatest [cybersecurity] threat in 5G infrastructure originates from," warned Abdul Rehman, a cybersecurity editor at VPNRanks. "An attacker can steal your data by setting up a fake cell tower near your home and learn a great deal about the device you are using including location, phone model, operating system, etc. These can even be used to listen in on your phone calls." To mitigate the risk, Rehman suggests relying on strong encryption.
We've previously talked about how AI is vulnerable to data poisoning attacks. As the technology advances, new forms of cybersecurity threats emerge. Voice deepfakes are one of such threats, where hackers impersonate C-level executives, politicians or other high-profile individuals. "Employees are tricked into sending money to scammers or revealing sensitive information after getting voice messages and calls that sound like they are from the CFO or other executives," said Curtis Simpson, CISO at IoT security company Armis. "We've already seen one fraudulent bank transfer convert to $243,000 for criminals. Given how hard it is to identify these deepfakes compared to standard phishing attacks, I expect these operations will become the norm in the new year."
It only takes one wrong click for a hacker to implant malware or open a backdoor. Unfortunately, that could be the undoing of all other security measures put in place to protect the network. "No one is off limits when it comes to cybersecurity threats," warned PJ Kirner, CTO and founder of Illumio, which develops adaptive micro-segmentation technologies to prevent the spread of breaches. Children could end up installing malware on their parents' phones. According to Kirner, "our sons and daughters will quickly become a new threat vector to enterprise security."
Robotic process automation
A Gartner report showed the annual growth of RPA software and projected that revenue will grow to $1.3 billion by 2019. "In 2020, [RPA] will continue its disruptive rise and become even more ingrained in our everyday lives," predicted Darrell Long, vice president of product management at One Identity, an identity and access management provider. "However, with the rapid adoption of RPA, security has become an afterthought, leaving major vulnerabilities." RPA technologies hold privileged data and that makes them lucrative targets for cybercriminals. CIOs must pay close attention to the security of the RPA tools they use and the data they expose to ensure their business is not infiltrated by malicious actors.
Cybercrimes are not only rising -- they are also evolving. Attackers have realized that data in storage systems are key to an organization's operations. "Hackers are now targeting network attached storage (NAS) devices, according to the data revealed in a new Kaspersky report. This new type of attack presents a significant problem to businesses using only NAS devices to store their backups," said Doug Hazelman, a software industry veteran with over 20 years of experience.
According to Kaspersky, there was little evidence of NAS attacks in 2018, but as hackers realized the benefits, they caught users off guard since NAS devices typically don't run antivirus or anti-malware products. Hackers exploited this shortcoming to put 19,000 QNAP NAS devices at risk.
Organizations should keep their systems updated with the latest security patches and ensure only necessary devices are reachable from public networks. Per Hazelman's recommendation, "to prevent cybercriminals from infecting backups with malicious software, CIOs should ensure company backups are being stored on two different media types, one of which being cloud storage, which has several benefits, including increased security."
Reaching for the clouds
Contrary to the other technologies on this list, ransomware has largely left the cloud untouched. However, as companies continue to transition their servers and data to the cloud for more cost-efficient solutions, criminals will shift their focus. The current attacks have largely been due to cloud misconfigurations or stolen credentials, but since the cloud has become a one-stop shop for all data, it's becoming the new battleground.
What we need to do about cybersecurity threats
By now, we've seen how devastating cyberattacks can be, and that the risks are steadily increasing. Security must be a priority and not an afterthought. While new technologies promise convenience and increased returns, CIOs must make sure the security risks do not outweigh the gains.