According to research from Cynerio – a health care IoT security platform, several medical IoT devices are prone to cyberattacks exposing hospitals and patients’ data to various cyberthreats. In its 2022 State of Healthcare IoT Device Security Report, Cynerio stated that medical IoT security has remained unaddressed despite increased healthcare cybersecurity investments. It’s found that nearly 53% of connected medical devices and other IoT devices in hospitals have known critical vulnerabilities. If compromised, these vulnerabilities could allow an attacker to perform multiple criminal activities like impacting service availability, data confidentiality, or patient safety.

Key Findings:

• IV pumps make up 38% of a hospital’s routine health care IoT footprint, and 73% of these have a vulnerability that could jeopardize patient safety, data confidentiality, or service availability if it were to be exploited by an adversary.
• Devices running versions older than Windows 10 account for most devices used by pharmacology, oncology, and laboratory devices and make up a plurality of devices used by radiology, neurology, and surgery departments, leaving patients connected to these devices vulnerable.
• The most common IoMT and IoT device risks are connected to default passwords and settings that attackers can often obtain easily from online manuals, with 21% of devices secured by weak or default credentials.
• Network segmentation can address over 90% of the critical risks presented by connected medical devices in hospitals and is the most effective way to mitigate most risks presented by connected devices.

Also Read: How Brainjacking Became a New Cybersecurity Risk in Health Care

“Health care is a top target for cyberattacks, and even with continued investments in cybersecurity, critical vulnerabilities remain in many of the medical devices hospitals rely on for patient care. Visibility and risk identification is no longer enough. Hospitals and health systems don’t need more data – they need advanced solutions that mitigate risks and empower them to fight back against cyberattacks, and as medical device security providers, it’s time for all of us to step up. With the first ransomware-related fatalities reported last year, it could mean life or death,” said Daniel Brodie, CTO, and co-founder, Cynerio.

Medical IoT Devices and Cybersecurity

With multiple intrusions and attacks on connected medical devices, the health care providers continued to be the primary target for cybercriminals. However, the most concerning issue for the health care sector is cyberattacks on implanted medical devices. Several cybersecurity experts stated that threat actors can hijack certain connected medical devices implanted in a human’s body or brain — they are calling this Brainjacking. Read More Here…

The post Over Half of Medical IoT Devices Found Vulnerable to Cyberattacks appeared first on CISO MAG | Cyber Security Magazine.

The survey “IoT in the Enterprise: Empty Office Edition” examined over 575 million device operations and 300,000 malware attacks on IoT devices, which Zscaler had blocked in December 2020. Nearly 76% of these IoT devices are still connected and maintaining communication with the company’s network on unencrypted plain text channels, posing severe security risks to businesses.

As per the survey findings, cyberattacks on connected devices surged by 700%, compared to the pre-pandemic period. Unauthorized IoT intrusions targeted over 553 different device types, including smart printers, smart TVs, cameras, and other connected devices linked to corporate IT networks.

Most Targeted Devices

The majority of the IoT attacks focused on set-top boxes (29%), smart TVs (20%), and smartwatches (15%). The home entertainment and automation sector reported the least number of attacks when compared to the health care, manufacturing, and enterprise sectors. Most attack traffic was reported on IoT devices in manufacturing and retail sectors (59%), including GPS trackers, 3D printers, automotive multimedia systems, barcode readers, PoS terminals, and other data collection devices.

The most targeted countries in the IoT attacks campaign were Ireland (48%), the U.S. (32%), and China (14%). Also, 90% of the affected IoT devices were found transferring information to servers located in China (56%), the U.S. (19%), or India (14%).

Unique Malware Attacks 

Zscaler’s ThreatLabz team uncovered over 18,000 distinctive hosts and 900 unique IoT malware variants in just a 15-day timeframe. The research team found new malware families — Gafgyt and Mirai — which are known for hijacking IoT devices to create botnets and spread malware.

“For more than a year, most corporate offices have stood mostly abandoned as employees continued to work remotely during the COVID-19 pandemic. However, our service teams noted that despite a lack of employees, enterprise networks were still buzzing with IoT activity. The volume and variety of IoT devices connected to corporate networks are vast and include everything from musical lamps to IP cameras,” said Deepen Desai, CISO of Zscaler.

Mitigation

Organizations should develop an IoT threat mitigation plan and practice basic security measures to mitigate the risks from vulnerable IoT devices. These include:

• Monitor and get complete visibility into all the IoT devices in the network.
• Always use strong passwords rather than keeping default ones.
• Fix the unpatched vulnerabilities before the hackers exploit them.
• Implement a zero-trust policy. Monitor and enforce a strict authentication policy to avoid shadow IoT devices into the company’s network.
• Implement a strong device verification process before allowing Bring Your Own Devices (BYOD) policy.

Related Stories:

• If You’re Connected, You’re Vulnerable Too!
• “IoT technology will always improve but it will never be 100% secure”

The post While Employees Work Remotely, Attackers Target Their IoT Devices Left in Office appeared first on CISO MAG | Cyber Security Magazine.

In an interview with Rudra Srinivas, Sr. Feature Writer, CISO MAG, Chukwudum Chukwudebelu, Chief Strategic Officer and Co-Founder at Simius Technologies Inc., discusses the major cybersecurity concerns associated with IoT devices. Chukwudum is experienced in product management, strategy, marketing, and sales in simplifying the consumer cybersecurity industry.

Edited excerpts from the interview follow:

The surge of the Internet of Things (IoT) is forcing many businesses to reconsider their approaches towards cyber risk management. How is the explosion of IoT devices changing the cybersecurity landscape?

The explosion of IoT is an unprecedented phenomenon. It is one thing for a computer with a screen to be connected to the internet, where you would notice something wrong. But it’s another issue for IoT devices. There was an incident of a casino that was hacked through a smart thermometer. IoTs make your networks vulnerable, and they are not designed to be secure. Even if they are, it is only the hardware that is secure due to the changing nature of vulnerabilities. Embedded firmware becomes insecure over time. This is especially true when you consider very few manufacturers provide regular firmware patches. Because of this, they become the backdoor for hackers, and without proper network security scans on those devices, how would an organization or even a consumer know when these devices have been breached? Businesses have to understand that they need consistent surveillance on these IoT devices because they may not know when they have been hacked. And if they have been breached, one may be thinking that it is just a smart thermometer. However, one single breach can amount to the domino effect, as intruders pivot from device to device. They might be able to navigate with impunity onto other devices, creating a backdoor to sensitive files or systems. Businesses and consumers need full holistic solutions for the cybersecurity landscape of today because every small breach in any organization could have a domino sitting there, waiting to be tipped.

According to a survey, the total number of IoT devices is expected to reach 83 billion by 2024, from 35 billion in 2020, which represents a growth of 130% over the next five years. Will IoT ever be 100% secure? What will be the state of IoT security in the next five years?

The IoT technology will always improve but it will never be 100% secure. As long as it is connected to the internet, there is always a risk. The best chance at cybersecurity is to reduce that risk. Since the internet was not built to be secure, rather, it was designed to be shared.  Industries are increasing the use of IoTs, and consumers are doing the same. As with anything, Moore’s law applies. An example would be for smart homeowners, where consumers have fully automated homes. Many smart homeowners have had their devices breached. We can also dive into the agricultural sector with the rise of fully automated farms, manufacturing industries using autonomous robotics, etc. In the next five years, many of these industries will become fully dependent on IoT devices. They will need to be secure to reduce risk, and the manufacturers of these devices together with the cybersecurity companies and government have to find a way to work together to deliver 100% secure IoT devices. By constantly keeping up with the threats and vulnerabilities, while being on point to thwart or prevent an attack at a moment’s notice. There’s no such thing as the cyber police yet, but I am sure that it will become recognized and more prominent as a need with most law enforcement agencies.

Based on a report, nearly 80% of IT professionals discovered shadow IoT devices connected to their company’s network. What are the major cybersecurity concerns associated with shadow IoT devices and how enterprises can deter potential threats from them?

The major cybersecurity concern is fear of the unknown. We don’t know what we do not know. That is part of being human. However, shadow IoT devices offer a unique attack vector for cybercriminals. We’re talking about connected devices or sensors that are actively in use within an organization’s network without their IT department’s knowledge. This includes everything from PCs, smartphones to personal health monitors and other smart devices. So, organizations and consumers need to keep a tight-knit around access to their networks. The value of keeping passwords away from employees or strange acquaintances cannot be underestimated. How can one prepare to mitigate against shadow IoT attacks if they do not keep their network access controlled?

Organizations and consumers alike should consider change management practices. Should there be any breach through a shadow IoT attack, it will keep recurring, and the businesses or consumers will keep having to deal with damage control. Until those loose ends are kept under wraps, shadow IoT attacks will remain a large point of risk.  It is difficult to discover problems without proper visibility for these IoT devices. Enterprises could do a network reset, with the devices connected to their network, but this can require significant coordination and effort on the part of their staff with guidance from the IT department. But this is much similar to doing a body cleanse. Flushing out unwanted devices and rebooting the ones you have is always a good practice. Discovering shadow IoT devices is tricky without proper network security in place. You could also have scenarios where an employee’s device is still connected to the network long after they are no longer in the organization, so be sure to change password or logon credentials often. Certain security policies and protocols have to be put in place to reduce the frequency of those issues. When enterprises and consumers are aware of the potential threats with Shadow IoT devices, they can prepare for it.

As Chief Strategic Officer, how do you help prevent information theft through IoT devices?

They say simplicity is an art. The most basic way of theft through an IoT device is using the breached passwords. Who creates these passwords? Is there a solid password policy enforced by the organization? Or do smart home consumers even have a standard to the passwords they use? These are basic but important questions. The users of these devices are also a target for phishing campaigns and various malware vectors which can breach a network from the fault of user activities. Even though someone may accidentally click a bad link, even the most sophisticated network security systems can be breached by that error in judgement. Why do we think that accessibility means identity? Someone can access your IoT device with your password does not mean they are authorized to log in. This is how two-factor authentication is designed to operate. How do the users manage their passwords though? That is the first line of defense. Most times they do not like to manage passwords effectively. Instead, they leave their own passwords out to dry. 64% of people still use the same passwords online. Also, when these IoT devices are hacked, users do not know because they do not have a screen or visibility. No notifications are available to warn them. Users of IoT devices can use certain tools to scan for vulnerabilities and prevent them before they happen such as updating your firmware. But we have to go back to the fundamentals, “Are you authorized to access this IoT device?” User training with basic cybersecurity fundamentals is quintessential for success.

Insider threats are one of the important concerns for security leaders today. Besides, remote work has also encouraged businesses to embrace Bring Your Own Devices (BYODs) concept at workplaces. How can enterprises stop non-business IoT devices from connecting to corporate networks? Is there a middle-ground solution that you see enterprises using?

There is a middle ground somewhere between. Enterprises and consumers need to segment their network, through VLANs as an example. They can make trusted or untrusted devices connect only to the specified VLAN for which they are authorized to access. This also prevents any unauthorized access to the main enterprise or smart home network.

Businesses and homeowners alike can set up a network that needs multiple layers of security before a new device is connected to it, not just a password. Hence the usefulness and ease of two-factor authentication. That way there is an additional security layer. Enterprises have to create new security compliance policies and treat any foreign device as a threat immediately until it is determined to be a safe or trusted device. Smart homeowners are no exception. But this way, only authorized devices can connect to these networks. This is how to simplify things. We are treating devices and users into buckets of being trustworthy versus not.

In what way will artificial intelligence drive the future of the IoT landscape? And what should manufacturers be wary of to prevent the security of IoT devices from being compromised?

AI will continue to assist with automation, but there will be points of high risk that require human intervention. Manufacturers will have to be wary of viruses, threats generated from adversarial networks of cybercriminals. These threats will likely remain persistent since all IP addresses are public. The bad guys will constantly be scanning these lists to see if there are any vulnerabilities worth exploiting. Manufacturers will need sufficient infrastructure in place to prepare for these kinds of attacks. They will need to consistently ask for feedback, and test for vulnerabilities. After all, this is a great game of cat-and-mouse we play with the cybercriminals.

About the Interviewer

Rudra Srinivas is a Senior Feature Writer and part of the editorial team at CISO MAG. He writes news and feature stories on cybersecurity trends.       

Read More from the author. 

 

 

The post “IoT technology will always improve but it will never be 100% secure” appeared first on CISO MAG | Cyber Security Magazine.

Looking at the spiking trend of online networking and accessibility, security solutions provider McAfee conducted the “2021 Consumer Security Mindset Survey,” which revealed that consumers in India are more cautious about the security of their connected devices. It also stated that 88% of Indian consumers feel they are more digitally connected and 86% have implemented more protection for their digital devices.

Key Findings

• Nearly 57% of Indians agree that digital hygiene or the lack of it can put them and their families at risk.
• 2 out of 3 Indians (68%) check if the network that they are joining is secure before connecting.
• Increase in COVID-19-themed attacks targeting people working remotely.
• 53% feel more vulnerable to risks when someone has visited their home and has connected to their internet.
•  Perceived to be most vulnerable to cyberthreats are Wi-Fi networks (57%), someone’s home computer (46%), smart home assistants (26%), smart TV (28%), and gaming systems (29%).

• 62% of the respondents believe that digital wellness and protection should have a separate curriculum and be taught throughout primary school. Online learners mostly concerned about exposure to scams (53%), sharing personal information (53%), illegal content (55%), cyber-bullying (52%), and misinformation (49%).

Increase in Cyber Hygiene

It was found that Indians are taking online security seriously — given the rise in COVID-19-themed attacks, which increased by 240% in Q3 and 114% in Q4 last year, with an average of 648 new threats per minute. Nearly 58% of Indians stated that they have a good understanding of the data they download/store on their mobile devices. Over 72% use a mobile security software solution to protect their mobile data, of which, 46% use preinstalled security software. And 58% of Indians believe that the information stored on their mobile phone is secure from cyber risks.

“Remote working, online learning, and a surge in the usage of connected devices due to more time being spent indoors have resulted in increased digital dependence among Indians. While our study indicates that more Indians are digitally connected owing to the pandemic, they are also now actively taking steps to keep themselves protected from online threats. The spike in our digital footprints during this time, makes it critical for everyone to understand the importance of online security and take measures towards protecting themselves,” said Venkat Krishnapur, Vice-President of Engineering and Managing Director, McAfee India.

How to Enhance Your Online Security? 

With rising attacks on connected devices, consumers must understand the seriousness of potential risks and must follow the required security measures to protect their personal information. Here are some security tips to enhance cyber hygiene:

• Prioritize digital health by enhancing security standards across devices and home networks can also go a long way in maintaining digital wellness.
• Use multi-factor authentication to double-check digital authenticity and add a layer of security to protect personal data and information.
• Be cautious when connecting to any public Wi-Fi, or even your friend’s Wi-Fi connection, and make sure the network is secure and attached to a trusted source. Ensure that you don’t conduct any financial transactions or share any personal details while on an untrustworthy Wi-Fi network.
• Separate your devices for business and personal use. We may have brought work home with us, but it’s important to set boundaries between personal and work life.
• A comprehensive security software that can detect and block a variety of threats is always a good investment. Also, check if it includes a firewall, as this will ensure that all the computers and devices on your home network are well protected.

While we cannot expect 100% online data security, maintaining robust cyber hygiene will certainly help deter cyberthreats in the long run.

The post Do Digitally Connected Indians Feel Secure During the Pandemic? appeared first on CISO MAG | Cyber Security Magazine.

To mark the same, Nir Chako, the security research team leader at CyberArk, has recommended security measures for individuals to enhance their data privacy online.

1. Update Your Router

Cybercriminals can easily break into home networks by exploiting vulnerabilities in out-of-date firmware on Wi-Fi routers. Outdated firmware often contains multiple unpatched flaws that can be easily exploited by hackers, so it is important to keep it regularly updated. Making sure your router is up-to-date not only reduces the risk to your personal information and devices on your home network, but also helps safeguard against attacks on your employer that might inadvertently come via your home network.

2. Update Your Device

The proliferation of working made us more vulnerable to cyberthreats. Cybercriminals targeted the remote workforce, trying to exploit loopholes in the corporate networks to break into employees’ work devices and eventually pilfer sensitive corporate data. Updating work devices (laptop or desktop computers) and activating anti-virus software on them helps defend against unauthorized intrusions. Whether you have Windows Defender or security software from a third-party, make sure that the antivirus you are using is active and updated with the most recent security fixes, so you are best placed to proactively identify and rectify any security issues before data becomes at risk.

3. Think Before You Click

Users must be vigilant about threat actors misusing the User Access Control (UAC) feature while installing a new program or software. UAC can be used for malicious purposes. It asks the users whether they want to change something on their computer by manifesting itself as a pop-up tool window. This feature is often spoofed by attackers to either install malware or steal credentials to infiltrate an employee’s device or a company’s corporate network. When permission is granted, the software is allowed access to a user’s computer. If in doubt, do not do it, and flag any suspicious activity to your company’s security team.

4. Avoid Malicious URLs

Cybercriminals often use malicious URLs to phish users into giving login credentials or other sensitive information. Malicious URLs are specially crafted links that host viruses and malware that could infect users’ devices or redirect users to fake login pages to pilfer private data. These types of URLs are a constant threat to both personal and business devices but are easy to avoid. Be wary of clicking on something unexpected or use security services to check the safety of files and weblinks before you visit them.

5. Secure Your IoT Devices

The proliferation of the Internet of Things (IoT) in consumer, health care, and other enterprises, and their internal vulnerabilities, has created a security blind spot where adversaries can launch Zero-day attacks to break into connected devices like smart TVs, webcams, routers, printers, and even a smart home. IoT devices are Wi-Fi-enabled and, if compromised, can be used to access data, credentials, and passwords from other areas of our home networks — to steal information or plant malicious software. Never use easy-to-guess or weak passwords for your connected devices. Also, make sure to update them often to fix known and unknown security flaws.

Cybercriminals continue to innovate their hacking techniques and never miss a chance to exploit a vulnerable resource. When it comes to safeguarding critical data, it is our responsibility to secure all the endpoints and networks against online intruders.

The post Data Privacy Day 2021: 5 Tips to Secure Your Sensitive Data appeared first on CISO MAG | Cyber Security Magazine.

What is a Swatting Attack?

In swatting attacks, the offenders make fake calls to emergency services like law enforcement and the S.W.A.T. team and share false information about the victim’s location. Malicious actors often use Swatting as a form of revenge, harassment, or a prank, sometimes resulting in potentially deadly consequences.

“Offenders often use spoofing technology to anonymize their phone numbers to make it appear to first responders as if the emergency call is coming from the victim’s phone number. This enhances their credibility when communicating with dispatchers,” the FBI said.

To obtain access to connected devices, offenders misuse users’ stolen e-mail passwords or exploiting users who re-use the same passwords. Once compromised, malicious actors take control of the device features like live-stream camera and voice assistant.

How to Defend

The FBI urged users of smart home devices to be vigilant and advised to follow certain measures to maximize IoT device security. These include:

• Because offenders are using stolen email passwords to access smart devices, users should practice good cyber hygiene by ensuring they have strong, complex passwords or passphrases for their online accounts, and should not duplicate the use of passwords between different online accounts. Users should update their passwords regularly.
• Users should enable two-factor authentication for their online accounts and all devices accessible through an internet connection to reduce the chance a criminal could access their devices.
• Users should also enable two-factor or multi-factor authentication with a mobile number, and not with a secondary e-mail account.

The post Smart Home Devices Under Swatting Attacks; FBI Warns appeared first on CISO MAG | Cyber Security Magazine.

By Rudra Srinivas, Feature Writer, CISO MAG

The proliferation of IoT devices and their unpatched internal vulnerabilities allow cybercriminals to launch zero-day attacks, compromising various connected devices like webcams, security systems, routers, printers, and smart home connected appliances (like thermostats and doorbell ringers). In addition, these devices store users’ private information, which could be easily misused if it falls in malevolent hands. In light of knowing what cybersecurity risks these devices could pose, it is imperative to enhance their security at the consumer and enterprise level.

Future of IoT

IoT devices are gaining more popularity year-over-year. According to a survey from Juniper Networks, the total number of IoT connections is expected to reach 83 billion by 2024, from 35 billion connections in 2020, which represents a growth of 130% over the next 4 years. A significant rise of IoT networks is also expected in various sectors like Industrial, Manufacturing, Retail, and Agriculture, accounting to over 70% of all IoT connections by 2024.

Growing Attacks on IoT

In tandem with technology and deployment, the growth of IoT devices also resulted in a variety of cyberthreats. The surge in IoT threats is an ever-growing concern to enterprise network security. Organizations need to implement the necessary steps to maximize security in all layers of the IoT ecosystem. A recent survey claimed that nearly 57% of IoT devices are vulnerable to cyberattacks. It found that the number of non-business IoT devices connecting to corporate networks increased over the last year. The devices that regularly connect to corporate networks include smart teddy bears (34%), medical devices (44%), electric vehicles (27%), and connected kitchen appliances (43%).

IoT Security Regulations

To address the growing risks around connected devices, governments across the globe are implementing stringent regulations for users’ data security and privacy. Recently, the U.S. House of Representatives passed the IoT Cybersecurity Improvement Act, which is intended to improve the security of IoT devices in the country. As per the proposed bill, all IoT devices purchased by the government must fulfill minimum security requirements.

The Australian government introduced the “Code of Practice,” which is a basic cybersecurity standard for all IoT devices in the country. A new proposal from the U.K. government stated that insecure IoT devices that are used in households and businesses could be banned from sale or removed from the market if they fail to meet certain security standards. The latest regulations are intended to protect the digital infrastructure from the evolving cyberattacks on connected devices.

How to Secure Your IoT

• Do a thorough research before purchasing an IoT device, as companies provide different levels of security. Compare similar devices with different manufacturers and choose a reliable one.
• Always encrypt your IoT devices with a strong password and update it regularly. Ensure your Wi-Fi network is secure, as this is the first gateway for hackers to try to break into your devices. Remember to turn off the device when it is not in use.
• Connected devices become smart based on the data they collect. Be vigilant on what data the device is storing and with whom it being shared. Know how the device’s manufacturer collects, stores, and protects your sensitive information. Erase all personal information from your connected device when you are removing it from your network.

Do Your Part. #BeCyberSmart  

Owing to the pandemic, remote working has led to both opportunities and challenges for users across the globe. Thanks to the increased use of IoT devices, our homes and businesses are more connected than ever. And it has paved way for newer vulnerabilities. It is essential to be conscious of the evolving threats, manage risks, and assess compliance through GDPR, HIPPA, and other regulations before cybercriminals attempt to exploit any vulnerabilities.

Being cyber smart is the only way forward to help protect our interconnected ecosystem.

About the Author

Rudra Srinivas is a Feature Writer and part of the editorial team at CISO MAG. He writes news and feature stories on cybersecurity trends.

The post Protect the Connected! Will IoT Ever be 100% Secure? appeared first on CISO MAG | Cyber Security Magazine.

A survey “The Connected Enterprise: IoT Security Report 2020” from Palo Alto Networks highlighted a variety of cyberthreats due to the surge in IoT device deployment. The survey, based on the responses of 1,350 security leaders in 14 countries across Asia, Europe, the Middle East, Canada, and the U.S., revealed that the number of non-business devices connecting to corporate networks increased over the last year. The devices that regularly connect to corporate networks include smart teddy bears (34%), medical devices (44%), electric vehicles (27%), and connected kitchen appliances (43%).

IoT Risks: A Growing Concern

According to the survey, 57% of IoT devices are vulnerable to cyberattacks. Over 89% of security leaders reported seeing increased numbers of  IoT devices on their networks last year, with more than 35% of them reported a significant increase. In addition, around 95% of security decision-makers stated that they have visibility of all the IoT devices on their organizations’ networks. However, 41% of respondents said they need to make improvements to the way they approach IoT security, and 17% said a complete revamp is needed.

One in five organizations in North America admitted that they have not segmented IoT devices onto separate networks, which is a basic security measure for building safe and smart networks. Only 20% reported following best practices of using micro-segmentation to contain IoT devices to their own controlled security zones.

How to Strengthen IoT Security

Palo Alto also recommended certain security steps for organizations in order to bolster their IoT security. These include:

1. Employ device discovery for complete visibility. The first thing businesses need to do is get visibility into the exact number and types of devices on their networks, keeping a detailed, up-to-date inventory of all connected IoT assets, their risk profiles, and their trusted behaviors.
2. Businesses should divide their networks into subsections to enable granular control over lateral movement of traffic between devices and workloads, reducing the attack surface. Virtual local area network (VLAN) configurations and next-generation firewall policies should be used to keep IoT assets and IT assets separate.
3. Strong password security is fundamental to securing IoT devices. As soon as an IoT device is connected to the network, the IT team should change the weak default password with a secure one that aligns with the organization’s password policies.
4. Most IoT devices are not designed to patch security flaws regularly, so it is critical that IT teams ensure devices are regularly patched for known vulnerabilities. To avoid data loss, add dedicated IoT aware file and web threat prevention as well as virtual patching capabilities via intrusion prevention.
5. Traditional endpoint security solutions require software agents that IoT devices are not designed to take. Organizations should implement real-time monitoring to continuously analyze the behavior of all network-connected IoT endpoints by integrating existing security postures with their next-generation firewall.

Ivan Orsanic, Regional Vice President and Country Manager, Canada, at Palo Alto Networks, said, “The proliferation of IoT devices poses a major challenge for Canadian organizations. IoT devices, such as connected medical devices, lack basic security settings that make them vulnerable to being exploited. As employees continue to work remotely, it is imperative that IT teams introduce IoT security measures to shore up their defenses. It is striking that Canadian organizations say they can see the problem yet are struggling to solve it. Having visibility of IoT devices is great, but without proper network segmentation, cybercriminals could gain access into networks to do damage.”

The post 95% IT Pros are Confident About the Visibility of IoT Devices on Their Networks appeared first on CISO MAG | Cyber Security Magazine.

“These exploits could have allowed an attacker to remove/install skills on the targeted victim’s Alexa account, access their voice history and acquire personal information through skill interaction when the user invokes the installed skill,” researchers said.

The vulnerabilities would allow attackers to perform malicious activities like:

• Stealthily install skills (apps) on a user’s Alexa account
• Get a list of all installed skills on the user Alexa account
• Remove an installed skill without the user’s knowledge
• Get the victim’s voice history with their Alexa
• Get the victim’s personal information

One-Click Alexa Attack

• The user clicks on a malicious link that directs them to amazon.com where the attacker has code-injection capability.
• The attacker sends a new Ajax request with the user’s cookies to amazon.com/app/secure/your-skills-page and gets a list of all installed skills on the Alexa account and the CSRF token in the response.
• The attacker uses the CSRF token to remove one common skill form the list we received in the previous step.
• Then, the attacker installs a skill with the same invocation phrase as the deleted skill.
• Once the user tries to use the invocation phrase, they will trigger the attacker skill.

Successful exploitation of vulnerabilities would have required the victim to just click on the Amazon link specially crafted by the threat actor. However, Amazon patched all the vulnerabilities after Check Point researchers disclosed their findings to the company.

“Amazon does not record your banking login credentials, but your interactions are recorded, and since we have access to the chat history, we can access the victim’s interaction with the bank skill and get their data history. We can also get usernames and phone numbers, depending on the skills installed on the user’s Alexa account,” researchers added.

Virtual assistants are used to control IoT devices like lights, A/C, entertainment, and other connected devices in a smart home. The proliferation of connected devices in consumer, enterprise, and healthcare organizations, and their internal vulnerabilities, have created a security blind spot for cybercriminals. With basic security measures and regular updates, connected devices can be secured against any intrusions.

The post Threat Alert! Amazon Alexa “One-Click” Attack Could Jeopardize Personal Data appeared first on CISO MAG | Cyber Security Magazine.

The U.K.’s Department for Digital, Culture, Media, and Sport (DCMS) and the National Cyber Security Centre (NCSC) have chalked three security requirements that IoT manufacturers need to comply with if they want to sell their devices in the country. Initial non-compliance may lead to a fine or penalties using civil enforcement, however, continued non-compliance may lead to criminal action in accordance with the scale of the offence.

The proposed  security requirements include:

• Ban universal default passwords in consumer smart products
• Implement a means to manage vulnerability reports
• Provide transparency on for how long, at a minimum, the product will receive security updates

However, the government is also seeking feedback and suggestions from IoT manufacturers on the proposed regulations to collectively enhance IoT security.

“Manufacturers do not embed even the most basic approaches to cybersecurity into their products, leaving consumers unnecessarily exposed to a range of harms. Most consumers overwhelmingly assume that products available in store and online are safe by default; the reality is that a number of insecure consumer smart products remain stocked on our shelves,” said, Matt Warman, Minister for Digital Infrastructure.

“The government’s intention is to design future-proofed legislation that will remain relevant amidst the rapid pace of technological change and innovation across the consumer smart product sector. The government will therefore seek to design this legislative framework so that it could be rapidly updated as necessitated by the evolution of the consumer smart product landscape, in consultation with relevant stakeholders,” Warman added.

IoT Devices to Dominate the Market

Earlier, a research by Transforma Insights revealed that the number of active IoT devices globally is expected to grow from 7.6 billion in 2019 to 24.1 billion in 2030, thereby generating revenue of more than $1.5 trillion, at 11% CAGR. The findings also stated that North America, China, and Europe are expected to have a lion’s share in this growth of IoT devices with 26%, 24%, and 23% respectively of the total value.

The post U.K. Government Proposes IoT Security Rules, Non-compliance May Lead to Fine appeared first on CISO MAG | Cyber Security Magazine.