The Internet of Things (IoT): The Single Biggest Risk to Your Privacy


According to Gartner, by 2020 there will be 20.8 billon devices connected to the Internet. To provide a bit of context, the U.S. population is 318 million, and the worldwide population is 7.5 billon, which means there will be roughly 3 devices per every 1 person on Earth. These devices include everything from smartphones to home automation tools to cars, and everything in between – all connected to the internet and accessible.

Historically, one of the biggest threats to security has been ease of use and conveyance for the end-user, which has never been more true than it is right now in relation to deploying consumer devices connected to the Internet of Things (IoT). Consumers devices make up the single largest segment of IoT devices and because of that, plug and play, ease of use, zero configuration devices are in high demand and manufactures are listening. Ease of deployment has, unfortunately, resulted in in a huge lack of proactive security measures including patching vulnerabilities within firmware or operating systems which renders most devices connected to the IoT exploitable.

Alarmingly, it isn’t very difficult to find IoT devices that are connected and available for access. Utilizing search engines like Shodan you can quickly create search for IoT devices such as web cameras, routers, firewalls, and smart TV’s, and determine their locations. Many of these devices are using default user names and passwords which can also be easily discovered with a quick internet search.

Due to this lack of security and ease of identifying vulnerabilities, exploits and locations, individuals are at risk of being targeted which, surprisingly, doesn’t seem to be a huge concern among consumers. A recent survey of 2,000 households found that 66% of consumers are more concerned with the price of their devices rather than the privacy and security features they may offer. As more of these devices are being deployed in households the risk of a security/data breach increases.

Protecting your IoT devices not only protects your privacy but protects the privacy and security of the entire Internet community. Compromised devices can become infected with malware and become part of a large army of botnets used to attack other users or services on the Internet. A recent attack on the infrastructure of the internet cause an large scale outage that lasted hours. Users and manufactures have a responsibility to secure and protect the devices that are attached to the internet.

Until manufactures build higher levels of security into these devices, there are some easy measures that can be taken to secure your IoT environment:

• Evaluate whether your device has to be connected to the Internet. Just because it can doesn’t mean it’s necessary 100% of the time.

• Change the default user name and passwords that your device came equipped with. If this is not possible, do not deploy the device.

• Create a separate network for these devices. Putting your IoT devices on a separate network from your computes and files will allow your IoT devices access to the internet, but not the primary network that stores your private information.

• Disable universal plug and play (UPnP). This protocol makes it easy to deploy devices, however it’s also a large security risk as these devices could be discovered beyond your local network.

• Make sure you can update the firmware. If this is not possible do not deploy the device. Updating firmware is critical and should be done regularly as updates fix vulnerabilities within the software (firmware) that controls the device.

New ‘nasty’ ransomware encourages victims to attack other computers

Popcorn Time malware offers users free removal if they get two other people to install link and pay

If the software gets a full release, its innovative distribution method could lead to it rapidly becoming one of the more widespread variants of this type of malware.
If the software gets a full release, its innovative distribution method could lead to it rapidly becoming one of the more widespread variants of this type of malware. Photograph: Alamy

Any user who finds themselves infected with the Popcorn Time malware (named after, but unrelated to, the bittorrent client) is offered the ability to unlock their files for a cash payment, usually one bitcoin ($772.67/£613.20).

But they also have a second option, described by the developers as “the nasty way”: passing on a link to the malware. “If two or more people install this file and pay, we will decrypt your files for free”.

The affiliate marketing scheme was discovered by security researchers MalwareHunterTeam. For now, it’s only in development, but if the software gets a full release, its innovative distribution method could lead to it rapidly becoming one of the more widespread variants of this type of malware.

Like most ransomware, Popcorn Time, encrypts the key files on the hard drive of infected users, and promises the decryption key only to those users who pay up (or infect others). But the code also indicates a second twist: the ransomware may delete the encryption key entirely if the wrong code is entered four times. The in-development software doesn’t actually contain the code to delete the files, but it contains references to where that code would be added.

Advice varies as to what users who are infected with ransomware should do. Most law enforcement organisations recommend against paying the ransoms, noting that it funds further criminal activities, and that there is no guarantee the files will be recovered anyway (some malware attempts to look like ransomware, but simply deletes the files outright).

Many security researchers recommend similarly, but some argue that it should not be on the individual victim to sacrifice their own files for the sake of fighting crime at large. Some ransomware has even been “cracked”, thanks to the coders making a variety of mistakes in how they encrypt the hard drive. Petya and Telecrypt are two types of malware that have been so defeated.


Information Technology should Embrace Marketing


One of the biggest challenges facing IT departments today, beyond that of the ever-changing technology itself, is their inability to effectively communicate with their end-users. These lapses in communication, whether they’re caused by not communicating frequently enough or a “language barrier” between the technical and non-technical staff, can lead to security risks, improper use of technology, and over-all dissatisfaction of services being provided by the department.

As we well know, the focus of IT delivery is to treat the end-users as consumers. Based on that methodology and the understanding that information technology departments are moving to an operational model where they act as a business providing services to customers rather than a department within an organization, marketing to the end-user is an essential component of ITaaS (IT as a Service).

In order to ensure effective, efficient communication, technology departments must start at the beginning and examine and revise their current end-user notification and education methods. Each year the workforce is reinvigorated with employees that are a bit younger than most of their colleagues and that are used to absorbing information and communicating in different ways. These employees are more used to a more social, less “corporate” means of communicating and are often quite adept at using social media platforms such as Twitter, Facebook, Instagram, and YouTube as primary communication method. Unfortunately, most IT departments are not equipped to effectively communicate in this manner.

As prime example of when marketing to end-users is important we can take a look at Cyber Security Awareness Month, which falls in October. For the most part IT departments will (if they do anything) send an email acknowledging that it is Cyber Security Awareness Month and highlighting the importance of taking proper cyber security measures. They may even go so far as to share video tutorials or PDFs containing step-by-step instructions on how to activate certain features or how to be more aware of suspicious attachments. In most cases, however, those methods are ineffective. Many people delete emails like that as soon as they see them or, if they’re arriving from their employer, will quickly scan them so that they can truthfully tell their employer they received and read it, and will then forget or ignore most of the content. In the majority of cases, though, emails like that just aren’t a high priority for many employees – they’ve get lost in the daily shuffle of emails coming in from clients and coworkers and no one really remembers to go back and check them.

In an effort to get your messages out to your employees, you may consider utilizing social and digital marketing tactics and communicating via mediums that they’re familiar with and readily checking. Create a Facebook Group for your employees where you post daily tips and security information. (Fun Fact: when you add someone to a group, the initial settings are that they will receive notifications when you post to the group in addition to seeing it appear in their newsfeed). Similarly, including infographics and images into newsletters – as opposed to blocks of text – will increase the likelihood that your employees will focus on and absorb the information provided to them. Creating learning activities and challenges will also provide ways to make security awareness training social and dynamic.

In order to effectively implement marketing strategies and tactics in your end-user education programs, it’s helpful to understand the seven fundamental elements of marketing in general. These elements are:

·      Distribution: The method employed of getting your message to your consumer (in this case, your end-users). There are a variety of methods, both traditional (printed brochures and flyers) as well as digital/multi-media (email, social media, video, text messaging, etc.)

·      Financing: Every marketing campaign has a cost, even if it’s an internal campaign, and in order to demonstrate the effectiveness of the campaign you must examine the ROI (return on investment). However, with campaigns directed at the end-user, it’s important to consider the offsetting cost. That is to say, the amount of money that would be saved by the success of the campaign. For example, your organization may find after an internal audit that it “spends” (after applying an hourly rate to employees and evaluating the cost of equipment purchases) roughly $15,000 per year troubleshooting and remediating issues and replacing workstations. Comparatively, a 100 person company may elect to dedicate $25 per employee ($2,500 total) to security awareness training. When you consider the value of simply avoiding the problem in the first place, the cost the campaign is minimal and well worth the spend.

·      Market Research: Understanding your work forces is key, just like understanding the target customer.  You’ll want to consider what methods of communication might be most effective across your workforce as a whole as well as across various segments.

o  Younger employees may be more apt to watch a YouTube video or read an infographic, whereas your older employees may benefit more from in-person training.

·      Pricing: As you will be marketing to your own end-users, assigning the “price” of your endeavors differs a bit from the usual sense. Typically when assigning the price of an item the company will examine the cost to manufacture the item, the cost to ship the item, their desired profit margin, and a host of other factors and come up with a per-piece price. When marketing to your own end-user, you’ll instead want to examine what the most effective and reasonable method of communication is and determine which option has the highest value, regardless of the actual cost of the campaign.

o  For example, it may – at first glance – be more cost effective to spend $25 per person creating training videos versus deploying a web-based training program that costs $35 per person. However, if the effectiveness rate of the $25/person program is 30% and the effectiveness rate of the $35/person program is 75% then it becomes obvious that in the long run the more expensive program is the most cost-effective.

·      Products and Services Management: Once we understanding the other foundational elements of the campaign, it’s important to consider how the campaign is managed and – specifically – how the end-user training is deployed and followed-up on. This goes back to understanding your users and their needs. You’ll want to develop a method of measuring the success rate (i.e.: comparing the number of IT support tickets created month over month) as well as a method of soliciting feedback and providing additional resources or explanations. Your campaign will never be effective if there is no way for your end-users to tell you whether or not it makes sense or to get clarification on issues.

·      Promotion: This is simple, IT should be promoted in a positive manner and the training and campaign should be framed as being a big-picture solution. You don’t want to frame it as “the IT department has dropped the ball in the past and now we’re catching up.” You’ll also want to use your campaign to create a positive identity for IT. In far too many organizations the over-worked, under-staffed IT department employees are often seen as people who are short-fused and grumpy. This is usually because they simply don’t have the time for idle chit-chat when their primary communication with their colleagues is people complaining that things aren’t working. They also have the responsibility of prioritizing the order in which tickets are worked, which often will leave their co-workers feeling miffed if their issue isn’t deemed the highest priority. Take that into consideration and use your campaign as a means of explaining these issues to the larger employee pool and highlighting all of the great things the department does for the organization.

·      Selling: In this case you’ll want to focus on getting your employees to buy into the program. Get your message out, evaluate its success, make changes where needed, and continue to improve upon what you’ve already implemented.

Marketing can affect an IT department in a very positive manner as long as your organization is willing to commit to a long term relationship with your marketers. One and done does not work, this is an ongoing process. Once you’ve begun to implement awareness and training campaigns you have to be prepared to continue – simply sending out one campaign and calling it a day won’t work. Continuously pushing your message in new and innovative ways that your audience responds to, however, will.

Ransomware; another way for vendors to make money

As we see more and more news stories about ransomware, security vendors are jumping on the bandwagon with their solutions. Most of these are incomplete and only offer a small part of the overall solution.  Few vendors offer a complete solution and for those that do, configuration and deployment is a nightmare for the average IT guy.  Most SMBs rely on endpoint protection (aka AV), UTM, etc., and vendors are taking advantage of that; rebranding and marketing to the ransomware hype.

The first line of defense is user education. What I am seeing when a company gets infected is that an end user opens an email and clicks on a link, or opens an attachment.  When discussed after the fact, most end-users say something like, “I did not read the email, just clicked on the link,” or “The attachment said resume, so I opened it.”  In these cases, endpoint protection (more on this in a minute) would not have protected the end user; education would have.

Speaking of end point protection, most vendors will say that they protect against zero day threats as well as ransomware, this may be true if you use the most restrictive settings on the product, however that comes at a cost and in most cases it’s the end-user’s ability to do their daily job.  The key is a balance between education and configuration.

A strong security program that includes multiple levels of protection decreases your chances of being infected.  An ideal solution would include web filtering (cloud based), Unified Threat Management at the firewall, endpoint protection on the desktop and lastly email filtering that offers URL scanning and attachment scanning. Let’s not forget end-user training, the human factor.  A single vendor solution does not provide the defense in depth model that multiple vendors can provide (belt and suspenders).

Lastly when you do get infected – and you will – your last line of defense is solid backups.  Bottom line, when all else fails, you have your backups (make sure you do test them, don’t assume).  When thinking about backups think about recovery point objective (RPO).  I will discuss in greater detail later (another post).  Most SMBs backup once per day (most likely at night).  Let’s say you back up Tuesday night at 8 pm and Wednesday afternoon at 2 pm you get ransomware, you can restore from the night prior and lose a day’s worth of work.  Is that sufficient?

Something to think about.

Everything as a Service (XaaS): Microsoft changing the face of information technology

Microsoft Azure cloud services is growing at a rate of 100 percent a year for a good reason.  Today, any small to medium size business starting up does not need a traditional infrastructure such as domain controllers, file servers, backup etc – just look to Microsoft.

A startup can utilize the cloud for all of its computing needs.  Email, collaboration and telephone can be provided by Office 365 for as little as $47.00 per month per user which includes everything from email to dial tone and everything in-between.  Add in Azure AD and you can authenticate your Windows 10 workstations eliminating the need for domain controllers. End points such as workstations and mobile devices, can be managed via Intune which can distribute software, patching workstations and in the case of a lost or stolen devices wipe corporate data.  File server can be replaced with SharePoint and most line of business applicationa offer a SaaS version such as CRM online, Salesforce, etc.

The benefit to business is the ability to be dynamic and scale on demand; lower cost of ownership as no hardware is required; and pay for what you use model is very attractive to most.  Add increased security, lower support cost, higher reliability and the ability to work any time any place, the cloud is an easy choice.

For those companies that have a more traditional environment with onsite infrastructure, the phased in approach or hybrid approach is ideal. Plan out your cloud migration starting with the simple things like email and personal files (One Drive). Once completed, focus on the more time consuming things like file server migration and line of business applications (LOB).  In cases where the LOB vendor does not have a SaaS version, think about moving the server to Azure.  If the LOB runson a terminal server, it will run in Azure.

As users become consumers of information, XaaS is a natural progression for technology, delivery on demand, subscription based services that are scalable and dynamic.