The IoT industry and cybersecurity have long been bedfellows, discussed in the same capacity as the growing number of IoT devices have meant the surface area for which cyber criminals can target has increased, too.
Notably not a new topic to the industry, a slew of recent cyber attacks have reminded the industry to remain vigilant, and the passing of the PSTI regulation into law on the 29th April have cemented a commitment to the ongoing battle against cyber attacks, enforcing manufacturers to fortify passwords, provide a point of contact for security concerns reporting and provide transparency on security updates. The growing numbers of Smart Home devices – figure here – have provided a perfect canvas for hackers to target sensitive and personal data. According to data released by Statista, the number of IoT connected devices is due to grow to 29.42 billion by 2030.
From historic auction house Christie’s to Cloud security company Zscaler, cyber criminals don’t discriminate, and their reasons for targeting such organisations are multifaceted. In some cases they lock an organisation out of their network in a move to strongarm them into payment in return for access, or in other instances, target that valuable thing, data.
IoT attacks are frequently categorised into five categories; spoofing, tampering, information disclosure, denial of service and elevation of privilege. In any category, the impact can be significant. Identifying likely threats, potential risks, and choosing a strategy that works best for business is a good starting point for understanding risks to IoT security. Some companies are deploying threat modelling by utilising digital twins in order to understand how a system might be targeted and what they can do to mitigate or reduce the impact of such an attack.
Couple the growing number of devices with the increasing use of AI tools and software, and businesses need to be aware of risks. On the 15th May, the UK Government unveiled new codes of practice to protect AI models from hacking. The codes will show developers how software can be built in a secure way from the start, with the aim of protecting it against attacks. “To make the most of the technological advances which stand to transform the way we live, cyber security must be at the heart of how we develop digital systems,” said Felicity Oswald, Chief Executive at National Cyber Security Centre at the time of the announcement.
Christie’s told BBC Technology that it had been targeted in a “technology security incident”. As a result, valuable art and other valuable items have been taken off its website, which potential buyers can no longer view.
Remarking on the attack, Jamie Boote, Associate Principal Consultant at the Synopsys Software Integrity Group spoke to the opportunism of cyber criminals, “Anywhere there is money somewhere on the internet, attackers have been exploiting vulnerabilities to their benefit,” he said. “This is far from the first auction-related attack. There’s even a class of exploits known as ‘eBay Attacks’ where attackers used to exploit the 5-minute account lock-out to freeze out other bidders from raising the prices on goods they wanted to win.
“This was because eBay used to list the account names of other bidders, and all the attacker had to do was enter in the displayed user name and a wrong password 3-5 times in succession, and that user wouldn’t be able to log in and bid.”
Learning from these incidents is of paramount importance, stressed Erfan Shadabi, Cybersecurity Expert at comforte. “In response to the attack, Christie’s has activated its well-established protocols and set up an alternative website to provide basic information about the auction items. However, these measures highlight the need for more robust data-centric security practices. Data-centric security, such as tokenisation and encryption, ensures that sensitive information remains protected even if a breach occurs.”
In the case of the attack on Zscaler, they were praised for their transparency and handling of the attack, which goes to show even if an attack takes an organisation by surprise – what happens in the aftermath and responding accordingly is just as important.
“If Zscaler is being forthcoming about the amount of access to its systems then they should be applauded. However, if they have discovered that the damage was worse than first expected they should continue to be forthcoming about the incident. Customers want to be kept informed in cases like these, and not being honest with the information about a data breach can cause a company irreparable harm to its reputation,” stated Chris Hauk, Consumer Privacy Advocate at Pixel Privacy.
The passing of legislation, enforcing of cybersecurity standards, integrating security into product design from the get-go, improving device monitoring and adding security features will all go a significant way in combatting cyber attacks.
There’s plenty of other editorial on our sister site, Electronic Specifier! Or you can always join in the conversation by commenting below or visiting our LinkedIn page.