The National Convergence Technology Center (CTC) staff was recently invited to a meeting of the North Texas chapter of the Information Systems Security Association (ISSA). These meetings always feature fascinating keynotes and panel discussions regarding cybersecurity. Because the CTC is headquartered at Collin College just north of Dallas, ISSA event invites often come our way. The most recent meeting offered two presentations – one of the economics of cybercrime and one on the challenges of securing IoT devices. The IoT presentation came from a company called Phosphorus that specializes in identifying and securing IoT vulnerabilities.
Below are some highlights of those presentations.
* While robbing a bank – which requires an “in-person” engagement and carries a high risk of capture – averages a $1000 take, cybercrime like ransomware – which can be committed remotely and rarely results in capture – averages closer to $312,000 per crime. This is why cybercrime is growing.
* A second revenue stream is developing with cybercriminals. Before they lock you out of the network, they’ll steal the data. That way, after you pay the ransom to get your network back, you have to pay a second ransom to access to the data (or to prevent that data from being leaked or shared).
* For now, disruptions caused by ransomware attacks cost up to 24 times more than the ransom. This means it’s still cheaper to pay the ransom. As cybercriminals start to realize this, the ransom prices will likely increase.
* Just as law enforcement adapted in the 1920s to stop the rash of bank robberies – through agency coordination and better tracking tools – modern day law enforcement needs to adapt to the threat of cybercrime.
* While we may think of an IOT device as something like a smart thermostat, in truth any device embedded with an IP address that sits on the network is an IoT device. Some of these can be easily overlooked, like the temperature sensors in a server rack or a maintenance port on a server. There can be up to 60 IoT devices just around a commercial double-door (security alarms, fire sensors, entrance keypads). All of these devices offer potential security vulnerabilities a cybercriminal can exploit to access a network.
* The two biggest security problems with IoT devices are out-of-date firmware and poor credential management. Companies would never leave a server unpatched for years or stick with the default password, but these practices are very common with IoT devices.
* 26% of IoT devices are “end of life,” which means no more patches are available. The presenter found one IoT device at a client’s company that was 26 revision patches behind.
* 50% of IoT devices still use default passwords.
* In addition to the IoT devices placed on the network by the company, there are many other vulnerabilities created by “shadow IoT” devices added without the IT department’s knowledge. Think of the dorm room Xbox or the laptop brought from home. If IT technicians don’t know about it, they can’t take steps to make sure it’s secur