Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Black Hat USA
July 31 - August 5, 2021
Las Vegas, NV, USA
November 4 - October 30, 2021
Toronto, ON, Canada
Black Hat Europe
November 8-11, 2021
Virtual Event
12:00 PM
Douglas Browne, Managing Director, APAC at Qualys
Douglas Browne, Managing Director, APAC at Qualys
Event Updates

Black Hat Asia 2017:
CISOs Must Get Proactive about the Internet of Things

These four steps will help reduce the risk from looming IoT attacks

Already busy protecting IT environments upended by cloud and mobility, CISOs now must deal with another security and compliance game changer: the Internet of Things. IoT opens up a new universe of attack opportunities for hackers to:

  • Steal confidential information
  • Tamper with “things” and cause real-world harm
  • Distribute malware
  • Hijack computing capacity and network bandwidth for DDoS attacks

With IoT, the number of connected devices that transmit sensitive data and can be remotely managed - and hacked - has skyrocketed due to previously offline “things” that weren’t designed  to be protected from hackers, such as toys, appliances, door locks, industrial machines, building equipment, vehicles, medical devices and security cameras.

While IoT yields many benefits for businesses, governments and consumers, its security has been a glaring afterthought, and CISOs are justifiably alarmed. By 2020, more than 25% of identified attacks in enterprises will involve IoT, according to Gartner, from an estimated 8.4 billion connected "things" that will be in use.

CISOs got a nasty wake up call last October. Hackers infected 100,000 IoT devices with Mirai malware and used the botnet for a DDoS attack against DNS provider Dyn, crippling major websites. Many see the Dyn incident as the first of many nightmare scenarios in which attackers will be able to alter the thermostat on a data center, damaging expensive equipment, disable the breaks on vehicles, causing accidents, and tamper with medicine pumps in hospitals, harming patients.

Here are four proactive steps CISOs can take to help reduce the risk from potential IoT attacks

Step 1.  Identify IoT initiatives in your organization, understand their business goals, and get involved by:

  • Inventorying new IoT network endpoints
  • Planning for IT resources IoT systems will need, such as storage, bandwidth and middleware
  • Determining the physical security endpoints should have
  • Establishing the monitoring and alerting required to detect atypical endpoint behavior
  • Drafting policies governing IoT systems’ secure usage, management and configuration
  • Communicating IoT systems’ InfoSec, compliance and physical risks to business managers, IT leaders, CxOs and board members

Step 2. Poll service providers, partners, contractors and other third parties about their use of potentially insecure IoT systems that may endanger systems or data you’ve given them access to.

Step 3. Do due diligence on IoT system vendors by testing their products’ security and getting answers to questions like:

  • Can products be scanned, monitored and patched to fix vulnerabilities?
  • Are they baking security into product design?
  • Do their systems use secure hardware and software components?
  • Does product development have expertise on InfoSec areas like secure application development and data protection?

Step 4. Shine the harsh light of regulatory and policy compliance on your organization’s IoT plans, to determine:

  • Which data will be captured and transmitted by IoT endpoints?
  • What is the business risk of that data getting breached?
  • What regulations apply to IoT systems?

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
4/25/2017 | 6:53:02 AM
Well written
Great Article. Kudos to you!
User Rank: Apprentice
3/26/2017 | 2:44:48 PM
User Rank: Apprentice
3/14/2017 | 11:50:38 PM
Great article
Cool, I hope Qualys has made it their mission to make InternetOfThreats (IoT as it is now) to InternetofTamed EndPoints. 

Qualys was always enterprie and carrier ready so the size and scale of growth IoT is not something that would bother Qualys ever. 

Very well written article Mr Browne.
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This gives a new meaning to blind leading the blind.
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-16
A deserialization flaw was found in Apache Chainsaw versions prior to 2.1.0 which could lead to malicious code execution.
PUBLISHED: 2021-06-16
Insecure storage of sensitive information has been reported to affect QNAP NAS running myQNAPcloud Link. If exploited, this vulnerability allows remote attackers to read sensitive information by accessing the unrestricted storage mechanism. This issue affects: QNAP Systems Inc. myQNAPcloud Link vers...
PUBLISHED: 2021-06-16
Rapid7 Nexpose is vulnerable to a non-persistent cross-site scripting vulnerability affecting the Security Console's Filtered Asset Search feature. A specific search criterion and operator combination in Filtered Asset Search could have allowed a user to pass code through the provided search field. ...
PUBLISHED: 2021-06-16
tEnvoy contains the PGP, NaCl, and PBKDF2 in node.js and the browser (hashing, random, encryption, decryption, signatures, conversions), used by TogaTech.org. In versions prior to 7.0.3, the `verifyWithMessage` method of `tEnvoyNaClSigningKey` always returns `true` for any signature that has a SHA-5...
PUBLISHED: 2021-06-16
Opencast is a free and open source solution for automated video capture and distribution. Versions of Opencast prior to 9.6 are vulnerable to the billion laughs attack, which allows an attacker to easily execute a (seemingly permanent) denial of service attack, essentially taking down Opencast using...