In several corporate boardrooms (perhaps yours), this was the week where the risk and scale of vulnerable unmanaged and IoT devices started to really hit home.
“We’ve often used surveillance systems as pivots into the corporate environments...so, yea, I’m not surprised by this (breach) and I’m sure this is just the tip of the iceberg.” one hacker commented in SecurityInfoWatch
Verkada’s massive camera breach, which saw hackers disseminate confidential footage from over 150,000 surveillance cameras as well as having control of the cameras and root access to them, organizations didn’t have to wonder why the hackers targeted cameras.
IP cameras, as well as other types of IoT devices, have become such attractive targets that in 2019 the number of known exploits targeting them exceeded the number of exploits aimed at IT-managed systems; by 2025 more than 75% of vulnerabilities will target them.
In these boardrooms many already know that according to Gartner by 2023 cyber-physical system security breaches will have cost businesses more than $50 billion, and by 2024 over 75% of CEOs will face personal liability for cyber breaches. But until this week getting in control of cyber hygiene for unmanaged and IoT devices may have been something to get to “tomorrow” – now it is something that needs attention “today”.
Three critical events that came together were the ongoing issues in containing the massive Solarwinds exploit, the Windows Exchange Server hack, and the Verkada breach impacting users of their surveillance cameras. The Solarwinds breach, where backdoors were planted in organizations using Solarwinds software, has become a difficult and ongoing issue for organizations impacted. The reason is when hackers gain access in this way, they often exist on the network for a long time and can use that access to observe and penetrate deeper. Additionally, the hackers took advantage of the software being commonplace within IT organizations and not thought of as a possible attack vector. The result is there will be many further weeks and months spent to simply find out how deep the hackers got in. Similar to how unmanaged and IoT devices exist; often they are “set it and forget it”, and not thought of as attack vectors. As Solarwinds shows, there should be an urgency to review, update, and manage these devices on a regular basis, to detect and thwart attacks already planned or deployed.
In the case of the Windows Server Exchange hack it is a lesson in how organizational risk is directly correlated to how fast an organization can patch their systems. On March 2nd Microsoft issued emergency fixes because of 4 new zero day exploits that were uncovered in Exchange Server, impacting 400,000 servers. While many organizations have promptly dealt with updating firmware and running additional cyber scans, many are still in process of rolling it out. Not surprising that today (March 12th) Microsoft is reporting that cyber criminals are actively exploiting this vulnerability to deliver ransomware (DearCry). Given this window of opportunity, cyber criminals are in high gear – according to Check Point Research exploitation efforts are doubling every two to three hours (emphasis added). And over 80,000 Exchange Servers remain unpatched and vulnerable as of this post. Now consider that compared to the 400K Exchange Servers effected that there are over 10 billion unmanaged and IoT devices; 25,000 times as many. Take IP cameras for example; every organization has them, few are managed by IT, many are in out of the way locations, and may even have exposed USB ports. There should be an urgency on making sure your organization can use automated firmware, certificate, and password management capabilities to make the window of opportunity for hackers as short as possible (ideally zero).
In the case of Verkada’s massive camera breach, which saw hackers disseminate confidential footage from over 150,000 surveillance cameras as well as having control of the cameras and root access to them, organizations didn’t have to wonder why the hackers targeted cameras. As highlighted by Steve Lasky in SecurityInfoWatch, one hacker commented that “we’ve often used surveillance systems as pivots into the corporate environments because we again see where too often the physical and digital security folks are not talking in an efficient way. The same can be said for the audio/visual folks as well. So, yea, I’m not surprised by this (breach) and I’m sure this is just the tip of the iceberg.” IP cameras, as well as other types of IoT devices, have become such attractive targets that in 2019 the number of known exploits targeting them exceeded the number of exploits aimed at IT-managed systems; by 2025 more than 75% of vulnerabilities will target them. Hearing loud and clear from hackers themselves that surveillance systems allow them to pivot into corporate environments should create urgency on cyber hygiene, and given the scale of such devices, on automated cyber hygiene solutions.
Bringing together automated IoT device discovery and vulnerability remediation is the first step for organizations looking to take action. Knowing what you have, if it is vulnerable, and making it secure now can be done automatically, critical to quickly shutting down cyber threats at scale. Customers can quickly and cost-effectively make these devices secure, visible, and capable of delivering their full value. I’d encourage you to join our webinar with Armis on March 24 with or request a demo at www.viakoo.com. The time is now for taking action – the growing risk from unmanaged and IoT devices at scale, combined with hackers stated intent to exploit such devices, makes taking action now an imperative. Viakoo is here to help.