This is a summary of an article written for Dark Reading by Aamir Lakhani, Cybersecurity Researcher and Practitioner for FortiGuard Labs. The entire article can be accessed here.
With the outbreak of COVID-19 came a new wave of cybercriminal opportunists, motivated by the sudden increase in attack surfaces as the global workforce transitioned to a largely remote operations model. Not only did the number of attacks increase, but so did their speed and scale.
How can businesses mount a reliable defense against mid-pandemic cyberattacks? By practicing extreme vigilance, offering ongoing security training, and implementing a robust integrated security framework. At the same time, they must not lose sight of the bigger picture. There are hundreds of potential attack vectors currently at risk – and the fact that many of these are tied to at-home networks further complicates the situation. Internet of Things (IoT) devices, in particular, have been at the center of the recent increase in enterprise cyberattacks.
IoT Security and Remote Work
Enough time has now passed since the onset of the pandemic for most organizations to have worked out any initial issues that arose with the transition to remote work. Yet, for many businesses, one problem continues to have repercussions.
A shortage of company-owned laptops and devices forced many workers to use their personal computers to access corporate networks and complete work-related tasks. Simultaneously, these individuals continued to engage in more mundane (and often riskier) online behavior such as browsing social media, shopping, and streaming entertainment. Since most of these personal devices lack endpoint protection and desktop security, they’re far more vulnerable to malware.
From an IoT security perspective, this oversight has the potential to be incredibly damaging, mainly because attackers can achieve their goals even without direct access to, for instance, a personal laptop. Malware can be spread indirectly via routers, tablets, gaming, and entertainment systems connected to the home network, as well as via IoT devices, like smart doorbells, cameras, and thermostats. Need proof? Just take a look at the top three searches on Shodan, all of which are related to remote camera access. While some remote cameras are deliberately open to the Internet, many others are still connected to the Internet with default credentials. By leveraging this low-hanging fruit, attackers can easily take advantage of the situation and gain access to systems that were never intended for the public.
While this act alone could significantly impact networks, it may only be the first step for an attacker in their attempt to exploit an organization. Threat actors know that if they can exploit a vulnerable device that nobody expects to be an issue, the easier it will be to gain access to a corporate or school network and its digital resources.
Rise in IoT Adoption
While IoT devices may be more vulnerable to attacks, adoption of this technology continues to rise steadily. One prediction states that IoT platform revenues will reach a staggering $66 billion in 2020 — a 20% increase over last year. And this year, medical and healthcare industries aren’t the only ones investing in IoT: touchless and contactless devices have become massively more attractive to businesses in industries ranging from hospitality to retail. Examples of these offerings include touchless building access, touchless point-of-sale devices, and body temperature cameras.
Important Insights & Takeaways
Even if your business has begun to acclimate to the ‘new normal’ of continued remote work – or even if most employees are now back in an office environment – threats are still out there. While IoT adoption solves many business problems, attackers are well-versed in its vulnerabilities. Some examples of attacks on IoT technology include:
- Attacks against medical device suppliers: The FortiGuard Labs threat research team uncovered one attack in which cyber criminals sent an email pretending to request multiple medical devices; this email contained a malicious Microsoft Word attachment. If a recipient opened the attachment, the downloaded files could exfiltrate files from the user’s computer.
- Phishing attempts tied to COVID-19: Scammers have used the pandemic as an opportunity to send malicious emails, including those that appear to be reports from trusted sources like government agencies and news outlets. Due to a rise in these attacks, the World Health Organization (WHO) was forced to issue a statement, and the UN released an advisory warning people to be on their guard against similar phishing scams.
Moving Forward with IoT
While the pandemic continues to play out around the globe – and even after its eventual expiry – cybersecurity professionals must perform the utmost due diligence to avoid serious losses at the hands of an attacker. In these circumstances, extra precautions must be taken not only by the IT and security teams but by the entire organization. User awareness training that educates employees about good cyber hygiene should be considered mandatory.
In addition, now is the time for businesses to revisit their security technology investments. Secure email gateways and access control solutions must be able to provide the level of protection the evolving threat landscape requires. Proximity controls – such as intrusion-prevention systems – add another layer of defense by protecting IoT devices that can’t be directly secured.
IT teams are scrambling to defend their networks, a process that’s only become trickier as IoT device adoption has increased. Vigilance, ongoing cybersecurity training, and an integrated security framework (such as the deployment of Secure SD-WAN for remote workers) are the key components of a successful cybersecurity strategy. As long as organizations move quickly and remain agile, they’ll be able to sustain the fight against the latest crop of pandemic opportunists and enable IoT security for their employees.
Find out how Fortinet’s Endpoint and Device Protection Solutions protect every user and device; on and off the network.