The Internet of Things and how your doorbell might just be attacking Amazon
We hear a lot about the Internet of Things (IoT) on the web nowadays and the TV is full of adverts for Central heating systems that you can control from your smartphone or tablet. There are Wifi enabled doorbells that contact you on your phone when the postman is leaving you a package at home and IoT light bulbs and power sockets can be bought at your local DIY store nowadays too. It looks as though this is mainstream now, and not just for us techie blokes who like something new to talk about in the pub.
The big unanswered question at the moment is how safe are these things? There have been some horror stories about Wifi enabled Baby monitors exposing images of sleeping children to the world and the most recent case of the Mirai malware found on IoT devices demonstrates just how susceptible any internet connected device can be to exploit. In the Mirai case, malware was deployed to various devices globally but it seems that a large proportion of them may have been IoT devices. The malware was responsible for a huge Distributed Denial of Service Attack (DDoS) aimed at the domain name server, Dyn on October 21st. This in turn disrupted services as far and wide as Amazon, Netflix, Paypal, Twitter and Github…serious stuff then, but how on earth did this happen?
To the average user, these IoT devices are just appliances that you plug in and forget about, so how could they be developed into a threat? Well, by their very nature, they are not to be thought of in the same way that I think about my good old fashioned Duallit Toaster. These devices are intelligent and programmable and can be susceptible to malware in the same way as your desktop computer. The same security precautions should be taken to ensure that they do not pose a threat.
The Mirai Malware turns the infected device into a member of Botnet, a collection of devices that can communicate with one another for various means, (the word Botnet is derived from the words Robotic and Network.) This piece of malware has been responsible for several DDoS attacks in the last 12 months but the attack of the 21st Oct seems to have been the most significant in size. It would appear that the number of IoT devices that are becoming infected is on the increase and there is strength in numbers – in fact, Botnets rely on this.
So, what can be done? Well, it is often hard to tell if your Webcam or Doorbell has become infected as it still operates as normal. It might get a bit temperamental at times, (but don’t we all). It is important however to ensure that the firmware is updated regularly and that any default passwords and accounts are removed upon installation. The Malware checks for open default accounts and utilises these to gain control of the device. It has been the advice of many security experts over the years but now it really does hit home – Remove any default accounts and passwords from any device before you intend to use it and check that the firmware is kept up to date. It might go against the grain to patch your doorbell or your webcam but it might just be possible that it is launching at attack on a global website, whilst you sip your coffee……food for thought indeed!
How a CISO can exert influence at board level
Mike Tyson once said, “Everyone has a plan until they get punched in the mouth.” As he is perhaps best remembered for his infamous ear-biting antics, he is unlikely to be a role model for many of today’s Chief Information Security Officers (CISOs), but the former heavyweight boxing champion does have a point. The biggest challenge faced by CISOs today is not the need to defend against known risk, but to identify the potential gaps in their own strategy. In short, to intuit what may be the ‘unknown unknowns’.
Because it is not simply a question of rolling with the punches. Like any good boxer, the CISO’s best defence is anticipation. They need to step back from individual skirmishes and establish a strategic defence from potential blows which may not even have yet been considered, even by their opponents. And the most valuable skill they can possess to facilitate this? It is not a heavyweight knowledge of the information security domain, but the ability to influence.
For while protection against known risks can, to an extent, be delegated to the wider CISO team, the senior CISO cannot dodge the essential forward-thinking leadership role required. They cannot simply oversee comprehensive risk analysis, the integration of appropriate security tools and the development of a security culture; they must also ensure that they influence in such a way that priority is given to the organisation’s defensive strategy.
So, in addition to a high level of technical expertise, a thorough understanding of the business model and an ability to mitigate risk, the CISO needs to articulate the state of information security to the company stakeholders and lead employees. They need to do this to ensure that resources are available to defend against the (as yet) unknown. And for this the CISO must possess influence; and that influence needs to be at board level.
Now few would argue with an irate Tyson but in reality his approach is not usually the best model for those wishing to exert board level influence. Influence comes from confidence – both inner confidence and the ability to engender confidence in others. If fellow board members consider the CISO to be fully informed and strategically prepared, they are more likely to listen attentively. If they feel that funding and time are requested in a pragmatic way, with no unnecessary extras, then they are more likely to allocate resources.
The VirtualCISOTM, developed by SRM to meet this need, provides CISOs with all the resources and tools necessary to fulfil their role at the highest level. But it also provides strategic guidance from a designated highly qualified industry expert with an excellent knowledge of the wider sector and a detailed knowledge of the businesses with which they are working. Through collaboration and understanding, a detailed and cost effective road map can be developed, arming the CISO with the muscle required for board level influence.
The buck stops here: advice for the new CISO on campus
As Universities return for the beginning of a new academic year, never has the role of Chief Information Security Officers (CISOs) been more important. Some will be continuing an ongoing strategic campaign while others may be settling into new roles and, quite frankly, may be wondering what on earth they have let themselves in for.
Because not only are they expected to be responsible for the strategic leadership of the University’s information security program, they are also required to anticipate and respond to the fastest-moving environment on campus without ever getting it wrong. For just one breach will have huge financial consequences and a catastrophic impact on the reputation of the University.
Like any business, a University’s reputation is a precious, and marketable, asset. And like any other business, its employees have other jobs to concentrate on. Those who work in a University environment know that academics are not always the most collaborative of souls; some even likening managing whole-campus efforts to that most difficult of tasks, namely herding cats.
Yet, working in collaboration with everyone from the maintenance crew to the senior professors is essential. Because, without their full involvement, precious information cannot be protected from some of the most intelligent and ingenious minds of a generation who, for whatever reason, have opted to use their talents for the Dark Side. Cyber criminals and the webs they weave are not only brilliantly clever, they are also constantly evolving.
So, where should a newly appointed CISO begin? Here is a suggested plan of action for the first 30 days:
- People: get to know the people you need to have good working relationships with. These will include your colleagues in the IT department as well as key stakeholders across all other departments;
- Job description: review your job description. This will tell you what is expected of you but it is important to ascertain what may have been omitted so that you can pre-empt any resource issues;
- Resource: assess the resources of the IT security department and review its existing services and activities. Now is the time to establish what you have or are reasonably able to establish as well as what additional resource or expertise you may need to contract in;
- Guidance: access all available guidance but be cautious about believing everything you read. Prioritise advice provided by industry experts with a proven track record and experience in this particular field;
- Belt and braces: think strategically about how your department can, from the outset, fulfil its designated role: ensuring the safety of all personal data, information and systems. The buck stops here.
- Register with SRM to receive updates on the role of CISOs in Universities.