IoT: AT&T has recorded a 3,198% increase in IoT vulnerability scans over the past three years.
Cloud: Companies with more than 50% of their data in the cloud report higher attack rates19.
Mobile: 40% of organizations have had their employees’ mobile devices compromised in the past 12 months20.
Bottom line: As known threats expand to new platforms, organizations should recognize the distinctive risks of emerging technology while remaining true to foundational security practices.
The scope of known threats is increasing dramatically as organizations become more digital across internal and customer-facing operations. In particular, rapid adoption of the Internet of Things, cloud technology, and mobile devices, while providing significant benefits to organizations, has also given rise to increased levels of cybercriminal activity.
How do you deal with these ever-mutating threats? It comes down to recognizing the unique security demands of each new technology in your cybersecurity practices.
About 6.4 billion connected “things” — from car sensors to pacemakers — are expected to be online worldwide in 2016, up 30% from a year earlier21. Respondents to the AT&T survey have an average of just over 1,500 connected devices in their organizations.
IoT deployments are expanding as organizations connect previously siloed applications. Obvious integration points are smart cities and smart cars. In Songdo, South Korea, cars equipped with radio frequency identification (RFID) tags automatically transmit data to municipal systems that analyze the information for transportation planning — and share the results with residents. In the U.K., Jaguar is working with local agencies to send real-time data about road hazards — culled from its in-vehicle platform — to municipal road crews22.
Expansion in the scope of our increasingly interconnected world brings heightened concerns about security threats. Over the last three years, AT&T has recorded a 3,198% increase in IoT vulnerability scans. The research firm IDC predicts that by 2018, approximately two-thirds of enterprises will experience some sort of IoT security breach23. It’s simple, really: More IoT deployments create more possible points that hackers can exploit.
Fifty-eight percent of U.S.-based respondents to the AT&T survey don’t have confidence in the security of their own connected devices, compared with 35% of respondents in EMEA and 29% of those in APAC.
Those confidence levels may dip in coming years. As more devices are connected, the risk of a major breach increases, particularly as organizations bring more device makers, developers, vendors, business partners, and even customers into their IoT ecosystems.
Given how IoT data often flows well beyond an organization’s traditional defenses, vulnerabilities increase when your data is exposed to third-party devices and systems with less stringent controls24.
Part of the challenge comes back to the unique nature of IoT deployments.
“Traditional security doesn’t meet all of IoT’s security needs,” says Chris Penrose, senior vice president for Internet of Things Solutions at AT&T. “Unfortunately not all users think about new security risks and simply follow the security practices that they have always used.”
Safeguarding your organization’s IoT devices requires a proactive, multilayered approach that’s tightly aligned with your overarching cybersecurity strategy. Risk assessments of your own IoT devices and policies, as well as those of your third-party vendors, should be folded into your overall risk profile. Only then can you know — and manage — all of the points where your data and devices are potentially under threat.
More than 90% of companies are estimated to already use some form of cloud technology in their operations as they look to scale projects in more cost-effective and nimble ways25. By the end of this decade, over one-third of all data will reside in or pass through the cloud26. Companies in the AT&T survey have moved, on average, 33% of their data to the public cloud.
More and more, IT professionals consider cloud platforms to be equally or more secure than on-premises systems27. About six in 10 companies in the AT&T survey show high levels of confidence that their data residing in the public cloud will be secure for the next 12 months.
Are leadership teams right to feel so confident? The vast amount of data stored in the cloud is an appealing target for known threats. In the AT&T survey, companies storing more than half of their data in the cloud report a higher frequency of malware, ransomware, APTs, theft of proprietary information, and unauthorized access to corporate data than those that store less than half of their data in the cloud. It’s wrong, however, to assume that data is most vulnerable when it’s in the public cloud and safest when it’s locked away in the corporate data center.
“You can’t put sandbags around an organization’s perimeter anymore. Security now must rely on virtual firewall capabilities,” says Andy Daudelin, vice president for Cloud and Cloud Networking at AT&T.
Questions surrounding cloud security often mirror those for enterprise security in general. Attackers are using many of the same basic techniques to break into cloud-based services that they have employed for years — including social engineering and DDoS attacks.
For example, a phishing campaign left users of Microsoft’s cloud-based Office 365 software exposed to a potentially massive ransomware attack. The attackers sent emails to millions of Office 365 users infected with a strain of the Cerber ransomware. Clicking on the email’s attachment would have triggered a macro that encrypted a user’s files along with an audio demand for ransom. Fortunately, Microsoft responded quickly and was able to block the malware a day later28.
But the security of a cloud service provider shouldn’t be your only concern. Focusing on the link between the cloud and your organization is just as key to protecting your network. With services such as MPLS VPNs, the security risks of cloud technology are reduced by securing your internet connection.
Cloud security also can be jeopardized when IT teams don’t have control over who purchases cloud services across the organization. The “as-a-service” model has made it easy for any employee to purchase a cloud product — whether it’s a personal application such as Dropbox or a department-wide service such as Salesforce. IT may not even be aware that these applications exist, and without proper governance, unauthorized applications may be vulnerable to weak security controls that attackers can exploit.
This growing challenge has prompted more organizations to use cloud access security brokers. CASBs act as gatekeepers for cloud-based services in use across the organization (see “A more secure approach to the cloud”).
An attacker who secretly intercepts and possibly modifies messages between two parties
A new type of cyberattack that hasn’t been seen before
Over the past two years, high-profile flaws in the most widely deployed security protocol, SSL, have come to light, creating avenues for new attack types. But the steps needed to avoid such attacks — patching and configuration changes — are also widely known and easily available.
According to Digital Defense Inc., the most prevalent, high-profile threats resulting from protocol weaknesses affect cloud-hosting and perimeter systems. For example:
Poodle takes advantage of a flaw that makes it easier for man-in-the-middle attackers to steal data. This flaw continues to be one of the most widely unpatched vulnerabilities on the internet, say DDI experts.
Drown allows attackers to break an organization’s encryption codes to steal sensitive information, including passwords, credit card numbers, trade secrets, and financial data. Similar to Poodle, it relies on a man-in-the-middle attack.
Cipher Zero Authentication Bypass Vulnerability can allow an attacker to take control of operating system software and access the system through a flaw in the IPMI protocol.
Companies typically can help address these flaws by sweeping systems for the vulnerabilities and then applying vendor-supplied patches or the appropriate configuration changes.
Although the majority of cybersecurity professionals in the AT&T survey express confidence in the security of employees’ work-related mobile devices, about 40% admit that their mobile devices had been compromised occasionally (26%) or frequently (11%) over the past 12 months. The correlation between confidence level and security incidents is an awkward fit, to say the least.
The challenge is growing. As malicious code writers target mobile devices in greater numbers29, cybercriminals are embedding malware into legitimate applications. Attackers are increasingly targeting app stores to distribute mobile apps loaded with malware — including wildly popular apps such as Pokémon Go. It took just 48 hours after the release of Pokémon Go in 2016 for hackers to create a repackaged, malware-laden version of the app for distribution on third-party app stores and internet file-sharing sites30.
The challenges extend beyond apps. Wi-Fi hot spots that aren’t under the control of your network administrators continue to pose risks to enterprise data. Negligent or naïve employees are weak links in the enterprise security chain. Connecting to free public Wi-Fi at a coffee shop or the airport is done without regard to the potential consequences of exposing corporate assets to man-in-the-middle attacks that grab every piece of data — including email and app content — sent over the unsecured site.
What’s more, scammers who set up rogue Wi-Fi access points can mimic the characteristics of a trusted network. Users are fooled into connecting to their access point, where the criminals can steal personal data and passwords that provide access to corporate systems.
The bring-your-own-device (BYOD) trend adds to the challenges of mobile security. Increasingly, employees are using their personal devices for work — accessing enterprise systems while on the road and at home. But they’re also using those mobile devices for personal tasks. Delivery drivers use company-approved smartphones to track deliveries — but then casually surf the internet during downtime. Digital-savvy employees use their work phones to purchase goods at smart vending machines that can be compromised by an adept hacker.
At the enterprise level, the lack of robust, end-to-end encryption — for data that is stored and in transit — can spell disaster. Consider the possible consequences of the theft of an employee’s unencrypted laptop: The personal records of thousands of customers are exposed and the organization is brought to a complete stop while reacting to the breach.
Bring-your-own-device is a business practice of permitting employees to use their own devices — computers, smartphones, tablets, or other devices — for work
Security challenges can vex enterprise security managers as they strive to deliver a highly secure mobile environment while being sensitive to users’ experience. Issuing corporate edicts that prohibit employees connecting to unsecured Wi-Fi, for example, may be tempting but is unlikely to eradicate the problem. One way to address the challenge is coming into focus: Mobile device security should be integrated into an organization’s overall cybersecurity strategy.
Cloud-computing services used without explicit organizational approval holds the potential to introduce a host of new cybersecurity risks. CIOs and CSOs agree that cloud services provisioned without IT’s knowledge represent the greatest security risk31.
Enter the cloud access security broker (CASB), a third-party entity that enforces security policies tailored to an organization’s specific needs, industry and regulatory requirements, and access policies. When paired with a cloud broker — which helps organizations provision and manage cloud services — CASBs keep a watchful eye on cloud applications and data.
CASBs perform basic tasks, such as logging security threats and anomalies and providing the necessary alerts and recommended responses to security teams. They may also provide additional controls such as time-of-day restrictions or blocking users in certain locations or on certain devices from accessing services.
CASBs can help IT and security teams keep cloud-based services as highly secure as the on-premise systems that they control directly.