Richard Hummel, Director of Threat Intelligence at NETSCOUT featured on the final episode of season 6 of IoT Unplugged as he discussed the state of IoT security in more depth.
Hummel’s position at NETSCOUT in constantly monitoring the threat landscape and understanding what kinds of tools and attacks are being leveraged by threat actors put him in a good position to discuss how attacks evolve over time. His experience included working in the US Army, focusing on cyber threats and tracking nation states, where “getting in the head of the adversary” is a mindset he adopts today in his current work.
According to Hummel, IoT devices have been under attack for “decades”, and it is only due to intensify, predominantly because the technology itself is outpacing the regulation being put in place to dictate security – as often is the case with these things.
This is also exacerbated by the fact that most consumers do not necessarily think about the basics of security, such as avoiding default passwords or ensuring the firmware is updated.
“We did a study four of five years ago on how fast does an IoT device get compromised, and we found that within three and a half minutes of a brand new IoT device being on any network, it already [receives] brute force password attempts from auto propagating bots within 24 hours,” explained Hummel.
This awareness of how vulnerable IoT devices and more generally connected products are has led to the implementation of regulation such as the Cyber Resilience Act (CRA), NIS2 and the UK’s Product Security and Telecommunications Infrastructure (PSTI) Act.
Hummel welcomed cybersecurity regulation for establishing a benchmarkof protecting devices, but noted a couple of issues, for instance the PSTI Act is UK-only and doesn’t address enterprise security.
In order for regulation to work, it might have to make people “uncomfortable,” Hummel said, noting that manufacturers aren’t going to enjoy an increase in spending on cybersecurity, or end users aren’t going to enjoy having to change their passwords to be more secure, but that it was necessary.
To hear what Hummel had to say about the threat landscape, regulation, and AI-driven attacks, listen on Spotify, Apple Podcasts, and at the link below.
There’s plenty of other editorial on our sister site, Electronic Specifier! Or you can always join in the conversation by visiting our LinkedIn page.