Understanding the IoT cybersecurity risks in developing countries.
According to Intel, in 2020 there will be 200 billion IoT devices worldwide. That's 26 devices per every person in the world. It is an astonishing number. The world is becoming increasingly connected. As the connected objects increase in number, so to do the risks.
With the attack surface getting bigger and bigger, it's becoming a daunting task for companies to secure their attack surface. However, there is one segment that is feeling this problem worse than others. That's small, medium sized businesses "SMB" operating in developing countries.
Larger multinational companies can afford a large cybersecurity teams. Most will have a "Chief Information Security Officer" CISO to direct the team. In smaller companies this is just not possible. They do not have the resources. They might have one full-time security architect but most likely cybersecurity functions are just distributed among other members of the IT department who have other full-time roles as a priority.
This problem is bad for companies operating in developed countries like the United Kingdom. It gets worse when operating in or based in developing countries.
Before getting into IoT, it's important to look at the situation with mobile phones in developing countries. The Vietnam government estimates 72% of all mobile phones have virus’s. Let that sink in. Compare that with the number of mobile phones with viruses in the United States where the percentage is under 4%. If you are a global company and have offices in Vietnam, how are you protecting yourself?
Or China where 34% of all phones have fallen victim of malware. Percentage of mobile users who have fallen victim to mobile malware infections in 1st quarter 2018, by country.
China has an estimated 1.5 billion phones. If 34% of them are infected that is over 500 million phones impacted. The security risks for mobile phones in developing countries is very serious. What can happen when mobiles are compromised? Here are two of the most common things to happen.
1. Harvest data about and conduct surveillance on the victim
2. Mobile botnets. User details were sold and advertisements are tapped on without the user's knowledge and in doing so generates fraudulent advertising revenue. It will not be too long before a mobile crypto mining bots are launched (if it already hasn’t).
Does the company even know or understand their attack surface? Most SMB’s IT departments have no idea how many mobile phones are in use around the globe in the many countries they might operate in. Mobile phone purchases and maintainence usually falls under the local office manager who has NO idea how to secure them.
To add to the complexity, it is often unclear whose responsibility it is to manage the phones belong to. A rapidly growing company out of London is worried about many things – but I suspect, thinking about their subsidiary office in Vietnam’s mobiles phone is probably at the bottom of the list.
As far as security risks though, the IoT situation is worse.
How is IoT defined? I think the Wiki page has a good summary: "The Internet of things (IoT) is the network of physical devices, vehicles, home appliances, and other items embedded with electronics, software, sensors, actuators, and connectivity which enables these things to connect, collect and exchange data. IoT involves extending Internet connectivity beyond standard devices, such as desktops, laptops, smartphones and tablets, to any range of traditionally dumb or non-internet-enabled physical devices and everyday objects."
IoT faces greater challenges than mobile. The attack surface is significantly greater to defend against. IoT devices cannot easily be updated, or worse can’t be updated at all. Tack on, that many times the IT department doesn't even know about some IoT – think about when an HVAC unit is installed at a remote office or warehouse and no one informs IT, thinking it is not an IT related concern. The HVAC will most likely have IoT embedded sensor devices installed onsite that could posed security risk if compromised.
Here are some of the threats dealing with IoT.
- IoT ransonware IP cameras can capture sensitive footage from a range of locations. They could be inside a house, office or warehouse. “Hackers could record footage and say: ‘Unless you give me some Bitcoin, I’ll distribute this footage.’”
- IoT devices being redirected to other uses like installing cryptobots on them. The growth of this is not suprising considering the low risk, high rewards for malicious characters. This greater reduces the IoT device effectiveness and slows down the network.
- Hacker can use IoT as beachheads to access the rest of the company's network or combine thousands together into botnets to launch devastating DDOS attacks.
Even with using controls like defence-in-depth and network segmentation, there is a high chance that data loss will happen in these countries. According to Symantec, there was a 600% increase in IoT attacks between 2016 and 2017. This trend is expect to continue. In other words, the IoT risks are about to get a lot worse.
What can be done to improve the situation? Here are some ideas.
#1 Get the IT department involved and establish clear ownership of who manages all IoT. Once this is done, the IT department can determine the actual attack surface they are facing and start to put in measures to secure IoT.
#2 Get more serious about security. If your company can’t afford to hire security professionals then consider using external services. Companies like Cydefense cater directly to SMBs by offering a range of security services that are signifantly cheaper than hiring an entire security team and can be more effective in some cases.
#3 Find ways to raise awareness and educate users about the risks.
#4 Get tougher on IoT manufactures. Manufacturers are trading encryption for low power chips, lower prices, storage space, and battery life. Demand minimum standards for doing business with them.
Resources:
https://www.techrepublic.com/article/as-iot-attacks-increase-600-in-one-year-businesses-need-to-up-their-security/