How has the security of the Internet of Things evolved in recent years? TechBeacon last visited the topic in 2017 and found the picture to be troubling at best. Now, for the first time since 2014, OWASP has updated its own Top Ten list of IoT Vulnerabilities. While the present state of IoT security remains poor, a reading of the draft reveals some shifts in thinking about how to shore up IoT devices’ spotty security. For example, “weak, guessable, or hardcoded passwords” now top the list, replacing insecure web interfaces, which drop to No 3. Insecure networks also rank higher, now up a spot, to second on the list.
The past 12 months have been a maze of cyber security challenges, ranging from the almost constant data breach headlines to the introduction of that little thing call the GDPR. Now, as 2019 comes rushing up to greet us, what can we expect to see dominating the industry? Below are just a few of the predictions we’re making…
The over-arching goal for any cyber deception system is to create target computing and networking systems and infrastructure that will be indistinguishable by an adversary from actual assets – including both live production and test environments. While this would seem an obvious consideration, it turns out to be quite challenging technically to build such deception in practice. Except for Attivo Networks, others will attempt to do achieve this through emulation.
“IoT-enabled device innovation will continue to outpace the security built into those devices and Federal government regulation will continue to inadequately define the laws and fines required to affect change. State-level regulations will be enacted to improve the situation, but will likely fall short in impact, and in many cases, only result in a false sense of consumer confidence with respect to the security of these devices”—Carolyn Crandall, Chief Deception Officer, Attivo Networks.
Written by: Carolyn Crandall, Attivo Networks CMO – Halloween may be the only time of the year when monsters, vampires and ghosts parade the streets at night spooking the public. However, in the dark online world of sophisticated adversaries and expanding attack surfaces, threats continue to lurk in our networks at unprecedented rates, wreaking havoc on organizations and going undetected for months at a time…scary stuff. These threat actors’ “tricks” are certainly not enjoyable “treats”, so for this year’s Halloween blog, we’re looking into how organizations, in all industries, can avoid falling victim to the modern cyber villain’s trickery with the help of deception technology.
Researchers from the U.K.-based penetration testing service Pen Test Partners recently attacked a video surveillance system, and they pulled off a fairly scary feat. “We successfully switched video feeds from one camera to another through the cloud service, proving arbitrary access to anyone’s camera,” they wrote. That pen test is even more concerning when you take into account the fact that the world is in the midst of a widespread proliferation of video surveillance equipment among both private citizens and enterprise security users – which, in fact, we are.
“In addition to early detection, sports organisations that invest in tools for threat and adversary intelligence will be able to better understand their security vulnerabilities, quickly isolate attacks, and prevent recurring attacks. Many organisations are turning to deception technology for offence-driven security designed to significantly reduce dwell time and acceleration remediation by tricking attackers into making a mistake and revealing their presence in the network.”
Attivo Networks enhanced its portfolio with new deception techniques designed to derail attacks targeting nontraditional surfaces. In addition to Internet of Things and operational technology, attackers are now targeting devices and applications that can be harder to secure as organizations look for the weak link in an organization’s network.