Recently, Pwnie Express researchers released their third annual report on the wired, wireless, Bluetooth, IoT and BYOD challenges facing IT security professionals. It’s not your typical study. These researchers combine a survey of hundreds of IT security pros with “on-the-ground” data captured from Pwnie Express sensors, distributed across a number of businesses.
This mix of human perspective and real-world data offers a more accurate picture of what’s really going on out there. This year’s report had some interesting findings that I wanted to point out. If you have time to read the report — and I recommend it — you can get it here, for free. If you can’t, I’ll take a minute to sum it up for you.
Mirai Steals the 2017 Spotlight
The focal point of the study revolves around one of last year’s biggest headlines: Mirai. You probably know that Mirai is malware that turns the computer systems inside Internet-connected consumer devices like cameras and home routers into remotely controlled bots. When joined together into a botnet, they can be used in large-scale network attacks.
Last October, Mirai malware was responsible for the distributed denial-of-service (DDoS) cyberattack against DNS provider Dyn, which brought down Internet platforms and services across Europe and North America. Security experts called it the largest DDoS attack on record.
According to the Pwnie report, Mirai had a profound impact on IT security professionals. In fact, 84 percent said Mirai changed their perceptions of IoT device threats. It painted a clear picture of how vulnerabilities in IoT devices could be exploited to disrupt business.
Raising awareness is always good when it comes to cybersecurity. And it’s important that we realize that the threats are no longer limited to laptops, printers, cell phones and other employee devices. Now they can target everything from smart whiteboards to wireless security cameras and even coffeemakers.
Awareness Does Not Equal Action
The result was interesting: 44 percent responded that they’re now more concerned with device threats than traditional network security — up 16 percent from 2016. Nearly 90 percent said they were concerned about IoT vulnerabilities, and the same number predicted connected device threats would be a major issue in 2017.
But according to the report, concern hasn’t translated into action. In fact, over two-thirds of the respondents either hadn’t checked or didn’t know how to check devices for Mirai, with the same number unaware of how many connected devices even came into their offices. Less than 10 percent could detect Mirai on a webcam, printer or a device brought into the office.
“There’s Nothing Like a Good Crisis to Define Who You Are.”
Okay, maybe IoT threats haven’t reached crisis proportions (yet) but they have undeniably surfaced as a significant issue. There are three ways you can respond:
- Ignore it. Inaction is a form of action, so ignoring it and hoping it goes away is a valid response — just not one that will look good on the resume you’ll be updating. Choosing to not respond is actually more common than you might think, as the study illustrates.
- Deny it. See above. Denial isn’t really the problem here as most acknowledge the need to act. Yet, the lack of actual response does suggest that the problem hasn’t become entirely “real” yet.
- Be an effective leader. Take the time to evaluate the situation and devise a response plan. Institute prompt action, but don’t act in haste. And manage expectations — management needs to understand the threat, what resources will be required to combat it and to what degree it will be mitigated by various courses of action.
Parallels Between Security Threats
Whether we’re talking about new IoT threats or evolving threats to user identities, ignoring or denying new realities are not good responses. Doing so can imperil companies as well as the careers of those responsible for protecting them. Falling behind can also be problematic — if you’re still trying to respond to issues that emerged in 2015, you’re going to find it very difficult to place focus on those that appear in 2017 — and they will appear.
Lastly, I’ll leave you with this statement from the report:
“Traditionally, InfoSec teams had a difficult but straightforward job: They needed to understand their assets, know what they were connecting to, and separate them from the outside world. That standard has changed, thanks to the many devices introduced into the workplace…”
Sounds familiar, doesn’t it? One could also say that previously, InfoSec teams could effectively secure an organization by protecting its perimeter. But new technologies such as cloud, mobile and IoT have obliterated any clear line of defense, representing a new dimension in security. This new threatscape requires a paradigm shift that challenges a perimeter-based approach. Adapt your thinking to a boundaryless landscape and leverage the power of Identity Services. Sooner rather than later.
Learn more about leveraging the power of Identity Services with our eBook, “Rethink Security: A Massive Paradigm Shift in the Age of Access.”