Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Black Hat USA
July 31 - August 5, 2021
Las Vegas, NV, USA
November 4 - October 30, 2021
Toronto, ON, Canada
Black Hat Europe
November 8-11, 2021
Virtual Event
12:00 PM
Douglas Browne, Managing Director, APAC at Qualys
Douglas Browne, Managing Director, APAC at Qualys
Event Updates

Black Hat Asia 2017:
CISOs Must Get Proactive about the Internet of Things

These four steps will help reduce the risk from looming IoT attacks

Already busy protecting IT environments upended by cloud and mobility, CISOs now must deal with another security and compliance game changer: the Internet of Things. IoT opens up a new universe of attack opportunities for hackers to:

  • Steal confidential information
  • Tamper with “things” and cause real-world harm
  • Distribute malware
  • Hijack computing capacity and network bandwidth for DDoS attacks

With IoT, the number of connected devices that transmit sensitive data and can be remotely managed - and hacked - has skyrocketed due to previously offline “things” that weren’t designed  to be protected from hackers, such as toys, appliances, door locks, industrial machines, building equipment, vehicles, medical devices and security cameras.

While IoT yields many benefits for businesses, governments and consumers, its security has been a glaring afterthought, and CISOs are justifiably alarmed. By 2020, more than 25% of identified attacks in enterprises will involve IoT, according to Gartner, from an estimated 8.4 billion connected "things" that will be in use.

CISOs got a nasty wake up call last October. Hackers infected 100,000 IoT devices with Mirai malware and used the botnet for a DDoS attack against DNS provider Dyn, crippling major websites. Many see the Dyn incident as the first of many nightmare scenarios in which attackers will be able to alter the thermostat on a data center, damaging expensive equipment, disable the breaks on vehicles, causing accidents, and tamper with medicine pumps in hospitals, harming patients.

Here are four proactive steps CISOs can take to help reduce the risk from potential IoT attacks

Step 1.  Identify IoT initiatives in your organization, understand their business goals, and get involved by:

  • Inventorying new IoT network endpoints
  • Planning for IT resources IoT systems will need, such as storage, bandwidth and middleware
  • Determining the physical security endpoints should have
  • Establishing the monitoring and alerting required to detect atypical endpoint behavior
  • Drafting policies governing IoT systems’ secure usage, management and configuration
  • Communicating IoT systems’ InfoSec, compliance and physical risks to business managers, IT leaders, CxOs and board members

Step 2. Poll service providers, partners, contractors and other third parties about their use of potentially insecure IoT systems that may endanger systems or data you’ve given them access to.

Step 3. Do due diligence on IoT system vendors by testing their products’ security and getting answers to questions like:

  • Can products be scanned, monitored and patched to fix vulnerabilities?
  • Are they baking security into product design?
  • Do their systems use secure hardware and software components?
  • Does product development have expertise on InfoSec areas like secure application development and data protection?

Step 4. Shine the harsh light of regulatory and policy compliance on your organization’s IoT plans, to determine:

  • Which data will be captured and transmitted by IoT endpoints?
  • What is the business risk of that data getting breached?
  • What regulations apply to IoT systems?

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
4/25/2017 | 6:53:02 AM
Well written
Great Article. Kudos to you!
User Rank: Apprentice
3/26/2017 | 2:44:48 PM
User Rank: Apprentice
3/14/2017 | 11:50:38 PM
Great article
Cool, I hope Qualys has made it their mission to make InternetOfThreats (IoT as it is now) to InternetofTamed EndPoints. 

Qualys was always enterprie and carrier ready so the size and scale of growth IoT is not something that would bother Qualys ever. 

Very well written article Mr Browne.
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
How Enterprises are Attacking the Cybersecurity Problem
Concerns over supply chain vulnerabilities and attack visibility drove some significant changes in enterprise cybersecurity strategies over the past year. Dark Reading's 2021 Strategic Security Survey showed that many organizations are staying the course regarding the use of a mix of attack prevention and threat detection technologies and practices for dealing with cyber threats.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-10-19
Out-of-bounds read vulnerability in CX-Supervisor v4.0.0.13 and v4.0.0.16 allows an attacker with administrative privileges to cause information disclosure and/or arbitrary code execution by opening a specially crafted SCS project files.
PUBLISHED: 2021-10-18
Tuleap is a Free & Open Source Suite to improve management of software developments and collaboration. In affected versions an attacker with read access to a "SVN core" repository could execute arbitrary SQL queries. The following versions contain the fix: Tuleap Community Edition 11.1...
PUBLISHED: 2021-10-18
Tuleap is a Free & Open Source Suite to improve management of software developments and collaboration. In affected versions Tuleap does not sanitize properly user inputs when constructing the SQL query to browse and search revisions in the CVS repositories. The following versions contain the fix...
PUBLISHED: 2021-10-18
OpenOlat is a web-based e-learning platform for teaching, learning, assessment and communication, an LMS, a learning management system. In affected versions by manipulating the HTTP request an attacker can modify the path of a requested file download in the folder component to point to anywhere on t...
PUBLISHED: 2021-10-18
The evm crate is a pure Rust implementation of Ethereum Virtual Machine. In `evm` crate `< 0.31.0`, `JUMPI` opcode's condition is checked after the destination validity check. However, according to Geth and OpenEthereum, the condition check should happen before the destination validity check. Thi...