https://www.iotworldtoday.com/wp-content/themes/ioti_child/assets/images/logo/footer-logo.png
  • Home
  • News
    • Back
    • IoT World 2020 News
  • Strategy
  • Special Reports
  • Galleries
  • Business Resources
    • Back
    • Webinars
    • White Papers
    • Industry Perspectives
    • Featured Vendors
  • Other Content
    • Back
    • IoT World 2020 News
    • Q&As
    • Case Studies
    • Features
    • How-to
    • Opinion
    • Video / Podcasts
  • More
    • Back
    • About Us
    • Contact
    • Advertise
    • Strategic Partners
  • IOT World Events
    • Back
    • Internet of Things World: San Jose
    • IoT World 2020 News
Iot World Today
  • NEWSLETTER
  • Home
  • News
    • Back
    • IoT World 2020 News
  • Strategy
  • Special Reports
  • Galleries
  • Business Resources
    • Back
    • Webinars
    • White Papers
    • Industry Perspectives
    • Featured Vendors
  • Other Content
    • Back
    • IoT World 2020 News
    • Q&As
    • Case Studies
    • Features
    • How-to
    • Opinion
    • Video / Podcasts
  • More
    • Back
    • About Us
    • Contact
    • Advertise
    • Strategic Partners
  • IOT World Events
    • Back
    • Internet of Things World: San Jose
    • IoT World 2020 News
  • newsletter
  • IIoT
  • Cities
  • Energy
  • Homes/Buildings
  • Transportation/Logistics
  • Connected Health Care
  • Retail
  • AI
  • Architecture
  • Engineering/Development
  • Security
ioti.com

Security


Thinkstock

Social engineering can cause IoT security problems.

Social engineering threatens IoT security issues

While the threat of  IoT security issues is apparent, people and the processes they create are often more problematic.
  • Written by Brian Buntz
  • 1st August 2017

In the early 1990s, Kevin Mitnick was one of the most notorious hackers on the planet. Now, however, he’s a security rockstar — a best-selling author and popular speaker who has recast himself as a trusted adviser to the Fortune 500 and international governments.

Hackers like Mitnick should remind enterprise companies of the human element of hacking. Mitnick has long been an expert in social engineering, which he defines in his book “The Art of Deception” as “getting people to do things they wouldn’t ordinarily do for a stranger.” Threat actors have long used social engineering to target traditional computer networks and computing platforms. But the technique is also perilous for enterprise IoT devices, nearly half of which have been breached in the past two years, according to a survey of 400 IT executives from Altman Vilandrie & Co. A post on the Mitnick Security blog, for instance, explains how social engineering was likely used in the Stuxnet attack against the Natanz nuclear facility in Iran. The plant’s network may have been isolated from the public internet, but all it took to launch the attack was for a single worker to plug a USB flash drive into a computer within the facility. Stuxnet, one of the first examples of an IoT-based digital weapon, caused Iranian nuclear centrifuges to fail and reportedly explode in 2010.

“It is common for organizations to focus on technology-based cybersecurity risks while not focusing sufficiently on people and process, both of which are common failure points,” said T.J. Laher, senior solutions marketing manager at Cloudera and host of the Cybersecurity On Call podcast.

A May feature in Harvard Business Review reaches a similar conclusion: “The major sources of cyber threats aren’t technological. They’re found in the human brain, in the form of curiosity, ignorance, apathy, and hubris.” Another recent HBR piece considers the behavioral economics of why executives tend to underinvest in cybersecurity. (Note: Cloudera is sponsoring an HBR webinar on the subject of cybersecurity for the C-suite to be held on Aug. 3.)

Such biases can also create trouble for cutting-edge networks designed to confront IoT security issues posed by networks with thousands or millions of IoT devices, said Ofer Amitai, CEO and co-founder of security startup Portnox. Consider, for instance, intuitive networking, which relies on machine learning and artificial intelligence to facilitate network administration and threat detection. “One of the most impressive aspects of Cisco’s Network Intuitive [platform], for instance, is that it claims to be able to identify malware in encrypted web traffic without the need to decrypt the information and breach privacy,” Amitai said. “However, if this tool is based on network context, it could create space for social engineering and put the network under threat from potentially dangerous malware ‘disguised’ as regular encrypted traffic.” For example a hacker could disguise a phishing campaign so that it resembles regular behavior and actions carried out by employees on the network, thereby easily gaining entry into the network and access to its assets, Amitai added. “Additionally, a hacker could use social engineering to gain access to the network and then send out what look like regular encrypted commands, which are actually network attack verticals. This would fly under the radar of network admins if they aren’t decrypting traffic to check for malware threats.” In addition, an employee with low-level internet etiquette could “miseducate” the network and exposes the organization to cyberthreats. For many enterprises, it may still be too early to automate network access and control to be “intuitive,” Amitai concluded.

[IoT Security Summit, co-located with Blockchain360 and Cloud Security Summit, explores how industry-wide security, privacy and trust can be established to unlock the full potential of IoT. Get your ticket now.]

Another consideration is that relatively few executives worry sufficiently about IoT security issues. This is often the case for organizations fortunate enough never to have been hacked. “We see buyers who think of security as a cost center who want to achieve as much security as possible at the lowest cost,” Laher said. “But if a CEO has ever been part of an organization that has been hacked before, cybersecurity has a bigger budget. They might even have a blank check,” he explained.

Another common hurdle is that executives think of IoT security issues as external. Many breaches, however, are aided or abetted by people within the company. IBM’s 2016 Cyber Security Intelligence Index reported that 60% of such attacks were from insiders. An example might be an engineer unwittingly deploying an insecure network of IoT devices, or it might be a disgruntled cybersecurity professional.

“We are seeing forward-looking organizations embrace this concept of ‘watching the watcher,’” Laher said. “A lot of cybersecurity professionals are ex-hackers. They were black-hat [hackers] at one point or [hacktivists].”

In the end, the triad of people, process and things is interwoven. “Ultimately, the notion of watching the watcher becomes a technology problem,” Laher noted. “You need to do a complete audit so you can track what everybody is doing and what they are accessing and modifying. You need to have all of your data encrypted and secure so that only one or two people can access it.”

With the explosion of IoT devices, “the future of networking is really more about having visibility to all devices connected to the network in real time and the ability to control and manage them in a way that protects the network,” Amitai said.

Peter Tran, GM and senior director of RSA’s Advanced Cyber Defense division, says that it is noble to aim to achieve a perfect triad between people, process and technology, but stresses that it is challenging “given the disparate nature of IoT” and “today’s rush to migrate to the cloud.” “The scales tend to get tipped pretty heavily towards technology when IT and sensors come together,” he said.

Tags: Article Security Technologies

Related


  • IoT security
    IoT Device Security: Risk Assessment, Hygiene Are Key
    As devices and data proliferate at the edge of the network, IT pros have encountered new challenges in securing enterprise IT systems.
  • Five Principles in a Zero-Trust Security Approach to IoT
    IoT devices have created vulnerability for IT networks, but a zero-trust security approach can lock down attack vectors. Here are five key principles.
  • Tactics for Successfully Selling IoT Technologies
    While this year has proven the value of digitization, many enterprises need persuasion. Experts discuss strategies for successfully selling IoT.
  • LynxSecure Datasheet
    LynxSecure is a tiny separation kernel that can be programmed to partition a modern processor into secure virtual environments. It is not RTOS. It is not a traditional hypervisor. It is smaller than a microkernel (as small as 15Kb). LynxSecure requires and leverages the hardware virtualization capabilities of certain modern CPUs to (1) establish secure […]

Leave a comment Cancel reply

-or-

Log in with your IoT World Today account

Alternatively, post a comment by completing the form below:

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Related Content

  • Cybersecurity Crisis Management During the Coronavirus Pandemic
  • In Industrial Realm, Trustworthy Software Means Safety
  • Integrating Analog Controls into IIoT Systems
  • Dell Sells RSA Security for More Than $2 Billion

News

View all

Private LTE Market Projected to Grow to $13 Billion

12th January 2021

IoT World Announces 2021 IoT World Advisory Board

9th December 2020

White Papers

View all

Smart and Flexible Automotive and Tire Production

20th December 2020

Unlock the Potential of Digital Transformation in Oil & Gas

15th December 2020

Special Reports

View all

Cybersecurity Protection Increasingly Depends on Machine Learning

28th October 2020

Webinars

View all

From Insights to Action: Best Practices for Implementing Connected Device Security

15th December 2020

Real Cyber Threats and Best Practices Cyber Security Strategy and Solutions for Smart Manufacturing

1st December 2020

Galleries

View all

Top IoT Trends to Watch in 2020

26th January 2020

Five of the Most Promising Digital Health Technologies

14th January 2020

Industry Perspectives

View all

IoT Spending Holds Firm — Tempered by Dose of ‘IoT Pragmatism’

1st December 2020

The Great IoT Connectivity Lockdown

11th May 2020

Events

View all

IoT at the Edge

17th March 2021

Embedded IoT World 2021

28th April 2021 - 29th April 2021

IoT World 2021

2nd November 2021 - 4th November 2021

Twitter

IoTWorldToday, IoTWorldSeries

Protecting Your Network Against Ripple20 Vulnerabilities dlvr.it/RrJhpD https://t.co/Q2xe5hoy4U

25th January 2021
IoTWorldToday, IoTWorldSeries

The DOD turned to #kubernetes #containers for #IoTdevelopment to brace for rapid change. dlvr.it/RqzsLz https://t.co/t8W7coEdZN

20th January 2021
IoTWorldToday, IoTWorldSeries

Food for thought: Food and Beverage Industry eBook @ROKAutomation dlvr.it/Rqz00T https://t.co/Z3y18vuozF

20th January 2021
IoTWorldToday, IoTWorldSeries

Facility of the Future dlvr.it/Rqyzvm https://t.co/ytpsOUTtGP

20th January 2021
IoTWorldToday, IoTWorldSeries

A new day in automotive production #digitalmanufacturingsolutions @ROKAutomation dlvr.it/RqyrNS https://t.co/yxPFrBZGVg

20th January 2021
IoTWorldToday, IoTWorldSeries

Unlock the potential of digital transformation in Oil & Gas @ROKAutomation dlvr.it/RqyrBV https://t.co/kzHcGjf2OK

20th January 2021
IoTWorldToday, IoTWorldSeries

.@Airbus’s #datdriven #digitaltransformation focused on getting its existing data in order rather than just gatheri… twitter.com/i/web/status/1…

19th January 2021
IoTWorldToday, IoTWorldSeries

#EdgeNLP enables devices to do much more #NLP locally that better approximates human conversation.… twitter.com/i/web/status/1…

19th January 2021

Newsletter

Sign up for IoT World Today newsletters: vertical industry coverage on Tuesdays and horizontal tech coverage on Thursdays.

Special Reports

Our Special Reports take an in-depth look at key topics within the IoT space. Download our latest reports.

Business Resources

Find the latest white papers and other resources from selected vendors.

Media Kit and Advertising

Want to reach our audience? Access our media kit.

DISCOVER MORE FROM INFORMA TECH

  • IoT World Series
  • Channel Futures
  • RISC-V
  • Dark Reading
  • ITPro Today
  • Web Hosting Talk

WORKING WITH US

  • Contact
  • About Us
  • Advertise
  • Login/Register

FOLLOW IoT World Today ON SOCIAL

  • Privacy
  • CCPA: “Do Not Sell My Data”
  • Cookies Policy
  • Terms
Copyright © 2021 Informa PLC. Informa PLC is registered in England and Wales with company number 8860726 whose registered and Head office is 5 Howick Place, London, SW1P 1WG.
This website uses cookies, including third party ones, to allow for analysis of how people use our website in order to improve your experience and our services. By continuing to use our website, you agree to the use of such cookies. Click here for more information on our Cookie Policy and Privacy Policy.
X