en
Back to the list

IoT Vulnerabilities Cost More Than $500,000 Per Month. How To Protect Devices?

19 December 2018 20:33, UTC
Mikhail Kashin

According to the World Economic Forum (WEF) report, cyber attacks rank first on the list of biggest business risks in Europe, East Asia and North America. Mostly cyber attacks are aimed at obtaining finances or data, but more and more often they take a goal of gaining the control over IoT devices. According to the experts’ estimates this threat will be intensified during 2019.

Cyber threats prediction for 2019

According to the Statista analytical service report for April 2018, 15% of all cyber attacks in the world caused financial damage to enterprises in the amount of $0.5 million to $1 million. At the same time, 8% of the total number of hacks amounted to losses of more than $5 million for affected companies. Moreover, financial losses from the attacks themselves are not so terrible, while the problem is in consequences. On the example of India, we can see that direct damage from cyber attacks amounted to about $900 thousand, while the indirect costs associated with them, such as job loss or reputation, amounted to about $3.1 million. At the macroeconomic level, cyber attacks took about $6.3 million from indian enterprises. In total, the average price tag of cyber attacks in India is about $10.4 million.

Such indicators suggest that modern cybercriminals have the resources to develop their skills furthermore and have access to all the necessary tools. At the same time, not every company is able to spend commensurate amounts on cybersecurity.

However, it should be borne in mind that a separate department of cybersecurity is still less than the losses from cyber attacks. Currently, the average annual salary of a cybersecurity employee in North America is $100,650, in EMEA - $6,143, in the Asia-Pacific region - $59,827, and in Latin America - $34,517. The demand for the cyber security market is now huge and does not coincide with the supply: there is a catastrophic shortage of qualified personnel. Even large companies, such as IBM, are recruiting staff without a specialized education and conduct on-the-job training. Of course, the costs are not limited to this, because the success of the work of the cyber security department depends on regular training and general computer literacy.

A large number of hacks occur due to the lack of knowledge of companies’ employees and private users about elementary security rules regarding the requirements for the reliability of passwords or the viewing of suspicious pages and letters. Experts say that a good hacker can hack 2/3 of existing passwords. The use of corporate mailboxes and other services for personal purposes has become one of the main reasons for the growth of phishing attacks.

Every employee should be aware of the signs of potential equipment contamination danger. Any letters from unfamiliar addresses, whether advertising or from an unfamiliar “boss”, should cause at least suspicion and, at best, complete disregard. However, even major politicians sometimes neglect the rules of digital hygiene. Of course, we are talking about the Democratic National Committee hack in 2016.

You can detect the infection by slowing down the computer, spontaneously disabling security programs, redirecting to suspicious sites in the browser. Employees of the cyber security department should monitor the status of anti-virus programs and update them regularly.

But no security system will save your business information if employees themselves become the cause of the vulnerability of the company's IT ecosystem. Sanxchep SHARMA, IT director of Delhi Public School Guwahati Model United Nations, told Bitnewstoday.ru in an interview that the problem is acute, despite the rapid development of information technologies: “The economy and other areas of life are turning into a digital network format, but people are still not sufficiently informed to identify phishing sites or scams. While banks, cryptographic wallets and the stock market have an online payment system, users often forget to check the URL or SSL of the site they visit.”

High in the clouds

In addition to the human factor, the potential threat is represented by the vulnerabilities of the cloud data storage technology. New methods of management, flexibility and universality of cloud services, which allow access to data from any operating system and devices on the corporate network, pose a direct threat to data security. In order to get information from all computers, an attacker only needs to hack into one device with the least degree of protection.

To protect yourself and your business from this threat, you need to act consistently. Before transferring corporate information to the cloud, you should make sure that the security systems are updated and ready to take a hit from the cybercriminals. Confidential information should be protected - each employee should have access only to information that is sufficient for him to do his job.

Rise of the Machines - IoT as a threat

One of the main threats of the coming year may be the spread of IoT. According to forecasts, by 2020 the number of connected IoT devices worldwide will reach 50 billion. Many experts believe that the Internet of Things has not become safer over the past year and is still one of the most critically vulnerable in everyday life and business.

Sanxchep SHARMA believes that this year we have seen enough attacks related to unauthorized access to confidential information to assert that more powerful attacks are expected next year in a new, improved form. “Now there is a significant trend t7owards the exploitation of the AI ​​sector for personal gain, which can completely compromise it. Attacks on IoT devices will lead in growth compared to other types of cyber attacks, which directly correlates with a significant increase in the number of connected devices.”

Even if someone does not have smart watches, cars or a smart home system, almost all enterprises use motion, temperature and light sensors, surveillance cameras, conveyor controllers and other automated systems that operate using IoT technology.

Many smart devices are attacked or themselves become the initiators after hacking and downloading malware. So, in October 2016, with the help of Mirai malware, a multiple attack was launched against the American DNS provider Dyn DNS from various IoT devices. This cyber attack was the largest of the recorded - its load is estimated at 1.2 terabits per second. Prior to that, attacks with a load of about 100 gigabits per second were considered to be super-powerful and fairly rare. The network of devices connected to each other, which became vulnerable due to the fact that ordinary users did not begin to change their factory settings, became the weapon of the criminals. The attack resulted in difficulty accessing Twitter, Githab, Visa, PayPal, and even BBC and Fox News media resources.

In 2017, routers (69.7% of all IoT devices used for attacks) and video surveillance cameras (24.7%) became the main tools for DDoS attacks. In 2019, experts expect a significant increase in DDoS attacks.

Convenient and dangerous IoT

In the future, hacking of IoT devices may increasingly occur to change their functionality. They already found a vulnerability that allows to influence the charge level and mode of operation of implantable cardiac devices. This is a direct threat to life. In 2009, Iranian uranium enrichment centrifuges were attacked by the Stuxnet virus. The virus imperceptibly for workers caused overloads and incapacitated equipment. Also, the United States has repeatedly faced hacking traffic signs with pranksters. So far no one has suffered from these actions, but they can pose a serious threat to drivers. But what if cyber-terrorists hack into larger systems, such as drug controllers? Then they will have the opportunity to influence the composition and quality of pharmaceuticals.

The safety of smart cities is also under threat. Often, in order to start operating new systems as soon as possible, experts neglect the protection of devices. For example, speed registration cameras have open ports and, due to the lack of passwords, they allow a video stream to be viewed by any Internet user. Ensuring the cybersecurity of smart cities is now a priority for many experts.

Large companies continue to present new ambitious projects, such as unmanned vehicles. Considering that in 2015 Jeep Cherokee, which did not rely so heavily on automation, was hacked, the manufacturers of unmanned vehicles would have to prove their 100% protection against hacking and the safety of their product.

According to statistics, in 2018 the number of companies that widely implemented encryption for IoT devices in their business was 26%. To ensure the security of the Internet of Things in business and in everyday life, at least elementary security measures must be observed - such as changing factory settings and device passwords, encrypting data, protecting transmission channels, regularly monitoring incoming and outgoing information for suspicious traffic. You need to make sure that the default passwords are changed on all smart devices. Since there are no uniform standards for ensuring the safety of devices, many large companies offer their solutions in this area. However, due to their diversity, compatibility problems or scaling of “smart” systems may arise.

The consequences of single attacks on home appliances can be eliminated by restoring the factory settings of the equipment. But if more serious devices are attacked, be it a blast furnace at the plant or a pacemaker, then the consequences could be serious injury or death. It is possible that precisely such attacks, which may become fatal, will lead to an awareness of the urgent need to raise cybersecurity requirements for massively deployed IoT devices at both corporate and state levels.