While the Delta version of COVID-19 has overturned some companies’ plans for a quick return to work this fall, there is another danger for those returning to the office: Millions of long-forgotten Internet of Things (IoT) devices rush to transfer workers to home offices 18 months ago.
In March 2020, as the world went home and IT teams struggled to set up and secure new networks, forgotten or abandoned IoT devices remained connected to office WiFi and Internet connections – and continued to collect data.
The attackers also noticed this, according to a report published by security firm Zscaler’s ThreatLabz in July. To study the issue, researchers looked at data from half a billion IoT transactions between December 15 and December 31, 2020, when most offices were still abandoned due to the pandemic and the holiday season.
The researchers found that the attackers targeted a number of common IoT devices, including connected office equipment such as printers and IP cameras, to help create and augment malicious botnets. The report also noted that TVs and smart cars were also trapped in these attacks.
Many of these devices used unsecured, unencrypted channels for data transfer, the report found. “The growing breadth of IoT devices entering corporate networks encompasses everything from smartwatches and IP cameras to automobiles and music furniture,” according to Zscaler researchers. “Seventy-six percent of transactions take place on unencrypted plain text channels, even though all devices use [secure socket layer] for at least one subset of their communications. “
Even before the COVID-19 pandemic, the IoT and other related devices had greatly expanded the attack area, giving threat actors additional access points to vulnerable networks. The last 18 months have made the problem even more complicated, said AJ King, CISO at security firm BreachQuest.
“Security executives are all very aware of the threats posed by IoT devices in corporate environments. These devices generally do not support endpoint detection and response or other security agents, do not integrate with vulnerability management platforms, and they tend to be black boxes when it comes to functionality, “King told Dice.
“There are few questions that unknown, feature-comparable IoT devices have more vulnerabilities than their brand counterparts,” King added. “Moreover, they are usually less responsible – or completely unresponsive – in providing patches or mitigations. But end users may only see the lowest price and not realize it translates into higher risk.”
Hybrid work and IoT
Even before the pandemic, the threats that unsecured or poorly secured devices posed to corporate networks – even when these connected devices did not have a specific IT use – had become apparent.
In February 2020, Check Point Research published a report that found that attackers could use vulnerabilities in smart bulbs to attack a wide range of home or corporate networks, using them to launch malware or ransomware.
Consumption of IT, along with the rush to digitize almost all office functions, has helped expand the threat landscape, which is why IoT devices and the data they hold have become a growing security headache. , said Tyler Shields, CMO of security firm JupiterOne Me
“More applications, more data in the cloud, more digital experience means more targets of opportunity and chance,” Shield told Dice. “There will be a steady increase in data compromise as we move more and more out of our daily lives into the cloud. We are really just beginning to see the expansion of digital experiences and the attacks that will grow along with to. “
Joseph Carson, chief security scientist and CISO consultant at ThycoticCentrify, noted that the COVID-19 pandemic has marked the end of the traditional network perimeter. This means that security and IT teams need to develop a new mindset on how to protect data, especially when these tangible IoT devices are placed by workers, whether at home or in the office.
“Businesses need to adapt and prioritize managing and securing access to business applications and data similar to BYOD device types,” Carson said. “This means further network sharing for insecure devices, but secured with strong privileged security controls to enable productivity and accessibility.”
The figures show this. Zscaler researchers found that IoT malware on corporate networks grew 700 percent in 2020 compared to 2019. This increase is evident for its large scale, as well as the fact that most of the workforce was home during that year. .
Carson is not surprised by those increases, as the pandemic meant that normal security protocols were lost or ignored. Employees also gained access to data, applications, or devices that were previously banned or at least restricted.
“Remote work significantly increases internal threats from employees taking risks with company assets, such as stealing sensitive data for personal use or benefit as employers have less visibility into what employees have access to,” Carson said. “Employees have received company equipment that may have been dependent on network security, such as email gateways, web gateways, intrusion detection systems or firewalls to protect those devices. Now, most those protections are very useless when the devices are moved to the public internet. “
Concerns in the clouds
While the Zscaler report focused primarily on the threat to IoT and related devices – and how attackers could use these vulnerable devices to create larger botnets – security experts also see other problems once workers start returning in offices.
Brendan O’Connor, CEO and co-founder at AppOmni, noted that the growing use of cloud-based and SaaS applications over the past 18 months has also led to high security concerns, especially when these applications are accessed through the IoT or third parties. other third related devices.
“We find that while companies are eager to use these access points to enhance the functionality of their cloud and SaaS systems, they often neglect to secure and monitor them in the same way that they provide network access. their corporate potential, leading to large access vulnerabilities that may be completely unknown to the company, “O’Connor said.
In this case, reliance on internal cyber security capabilities may not be sufficient. Organizations may need to rely more on automation and third-party assistance to ensure security.
“As the complexity of cloud and SaaS environments – and security-related configurations – continues to grow, companies will need to use automated tools to ensure that their security settings match their business purpose and monitor constantly security checks to prevent configuration changes, “O’Connor said. “This is simply no longer a task that teams will be able to proceed with using only manual processes.”