The world is changing but one thing remains the same — as fast as organisations adopt new technology to facilitate new ways of working, threat actors are waiting in the wings to take advantage. That is particularly true of smart devices or often referred to as IoT.
With remote workers now a permanent reality for most organisations, home environments now also play a factor in an organisation’s infrastructure. Modern homes have a variety of IoT devices – TVs, doorbells, baby monitors, and more. Every time a remote worker logs into their laptop or tablet, each of those devices becomes part of the enterprise attack surface.
To preventatively secure the modern attack surface security teams must first gain an understanding of all the conditions that matter in today’s complex and dynamic environments.
What is the Cyber Resilience Act?
In September 2022, the European Commission introduced the Cyber Resilience Act (CRA), which aims at setting common cybersecurity standards for connected devices and services. The act looks to introduce rules to protect digital products that are not covered by any previous regulation making it the first IoT legislation in the world.
The requirements proposed under the CRA covers two main objectives:
- Create conditions for the development of secure products with digital elements by ensuring that hardware and software products are placed on the market with fewer vulnerabilities and ensure that manufacturers take security seriously throughout a product’s life cycle
- Create conditions allowing users to take cybersecurity into account when selecting and using products with digital elements.
While strengthening security for IoT devices, both at the point of introduction to the market but perhaps more importantly across a product’s life cycle, is a solid step forward the CRA is still under revision. It’s a way off from being adopted into law and debate continues around that final wording. Time will tell just how effective it will be at proactively preventing cyber threats.
Similarly, while legislation and regulation is helpful, alone it is not enough. Organisations must not be lulled into a false sense of security that, by ticking the relevant boxes, they are secure. The onus has to be on every organisation to implement secure working practices that protect their infrastructure and the sensitive data contained.
Prevention better than cure
The harsh truth is that the vast majority of attacks are preventable. Threat actors rely on leveraging unpatched, legacy vulnerabilities across a wide spectrum of software solutions to infiltrate organisations. They look for misconfigurations that can be abused to dig deeper into the environment or cause a program to function differently to intended. And they look for excessive or misconfigured identity privileges that allow them to take control of the environment and move around unchallenged.
Context-driven risk analytics enable security teams to anticipate and remediate threats long before they become problems. An exposure management program brings together data about configuration issues, vulnerabilities and attack paths across a spectrum of assets and technologies — including identity solutions (e.g., Active Directory); cloud configurations and deployments; and web applications — to help organisations understand the full breadth and depth of its exposures. Alongside this holistic visibility is context — who is using the system, what they have access to, how it’s configured, and so on.
Understanding all of the conditions that matter in today’s complex and dynamic environments help the organisation understand the full breadth and depth of its exposures, allowing security teams to take the actions needed to reduce them through remediation and incident response workflows.
Doing nothing is not an option. It’s imperative that organisations step up and stop criminals from infiltrating their infrastructure. Understanding attacker behaviour helps inform security programs and prioritise security efforts to focus on areas of greatest risk and disrupt attack paths, ultimately reducing exposure to cyber incidents. Benjamin Franklin is credited as saying ‘an ounce of prevention is worth a pound of cure’ and this would certainly hold true with cyber attacks.
With over 20 years in the security industry, Bernard Montel is Technical Director of EMEA at NASDAQ-listed cybersecurity company Tenable. His expertise includes cryptography, Identity & Access Management, and SOC domains. Bernard has published numerous articles featured in leading trade titles and is regularly invited to speak about cybersecurity on broadcast news, providing insight into current cybersecurity threats, cyber risk management, and cyber exposure.