Small Business Security and IOT

What is the Internet of Things?
The cars on the street zooming by, the cellphone in your pocket, the farmers irrigation system, and the factory in town. What do all these “things” have in common? They are connect to the Internet to create the almost inexhaustible expansion commonly known as the Internet of Things(IOT). While connected to the Internet, these smart devices and appliances allow our lives to become easier, efficient, and more productive. You can track the speed and the location of the new driver in your family to monitor their safety and alerted if they are speeding. A farmer can monitor his land with sensor based field mapping that has analytic capabilities for livestock or crop efficiency. The factory in town can monitor worker safety and machine maintenance to prevent or even eliminate work related hazards and machine related downtime.

The ideals behind the Internet of Things marketplace are not strictly for automation of life. This technology is intended to be human convenience factor in everyday life. On the the hand, a hacker sees this new realm of networking as a playground of destruction. Almost any new form of technology for any type of advancement could be used for malevolent purposes if it fell into the wrong hands. That car monitor can be used to track the location of a victim. The farmer’s crop sensors could be tampered with to damage crops by providing false information to the sensors. A machine can be pushed to the point of overheating causing a fire in the factory by simply changing the threshold of an internal sensor. These new threats are now classified as cybercrime and it impacts organizations daily. However, there are many simple and cost effective solutions that would eliminate these threats.

The Small Businesses & IOT

When it comes to criminals, it’s safe to say that they are opportunists. I say this in the sense that a cyber criminal is more inclined to attack a small business rather than a large corporation. There is a lot of truth behind that statement for many reasons. Small businesses usually have outdated hardware in their server rooms. Some companies even have outdated and unsupported software as old as Windows XP. Each outdated or unsupported piece of software or hardware becomes a vulnerability in a company’s network. In the case of Windows XP, is more or less a sign that screams,”Hack me please!”

There is also a workload factor involved when it comes to hackers. In a small workplace environment, a hacker may have to deal with a single firewall, two servers, and five to ten workstations. In a larger corporation, there may be multiple server rooms to infiltrate across multiple locations. Gaining persistence in a small workplace is a lot easier to manage than in a large corporate network. Every second a hacker is in your network, he is attempting to stay as hidden as possible. WIthout constant monitoring, a hacker can plant malicious backdoors and return to them at his/her leisure. This usually results in attacks occurring at late hours of the night when no one is working. Then employees come in the next day and wonder their computer is off or not working.

Here is where the threats behind IOT plays a role in the small business. The new company smart refrigerator, the new smart wireless cameras in the office place, and Bob’s new smartphone. Now these topics I picked at random just because I have had personal use with them when testing their security with a skill called Penetration Testing. Again, all of these connect to the internet to make our lives easier in some way. But from a security point-of-view, these are just more ways to break into the network. The operating systems on these “smart” devices are very usually simple and easy to exploit. Exploit being a term used by hackers meaning to break into a device. All the while these devices are connected to the internet, they broadcast their identity to your network. Sometimes these devices are even seen publicly. In the next couple of paragraphs, we will look at some scenarios of actual hacks that have occurred.

The smart refrigerators fail at secure communication. Not saying every smart refrigerator on the market is insecure, but it is best practice to research any smart device before it is purchased. Some smart refrigerators do not properly implement secure communications between the user on the fridge and the applications installed on the fridge that are connecting to the internet. Applications on the fridge allow you to connect them to your email account and this is where the vulnerability lies. Every Time you log into your email account, there is a secure connection used to transmit your account data. However with a smart fridge in this instance, that security is not established. That is when a hacker monitoring your network obtains the credentials to your account.

Smart cameras or IP cameras. These devices allow you to connect and watch your company from your cellphone or some website interface client. These are awesome to monitor your businesses while you are away. These cameras must be loaded with security features, right? The fact is sometimes they are, but more often than not, these smart cameras are hackable due to having default passwords. Moreover, some cameras have many well known vulnerabilities that can be found with a little research online.

There is a wide selection of smart cameras to choose from online and could range from $50 to $500 or more. Financial situations arise when a company needs needs five to ten new smart cameras to secure the business and monitor operations remotely. So a company may want to purchase cheaper cameras to save money. However, cheaper cameras online are usually riddled with vulnerabilities that are easy to exploit. For this situation, “Company A” has purchased ten new top-of-the-line cameras and need to install them in their warehouses. So they task a couple of their team members with this job to install and network the cameras properly. The boss is able to view the operations remotely.  He/She then has them installed, but misses the most crucial security step which is changing your default passwords that are setup to configure the device. Just like your home wireless router, if the device has default usernames and passwords, they are at high risk for being exploited.

They new smartphone! This one is a favorite because it is figuratively a walking vulnerability. Most smartphones are vulnerable to attacks that could carry with it malware that is transferable to local workstations. Without mentioning any brand names, I have one of the newest smartphones on the market and from my research, it has turned out to be one of the most vulnerable to attacks. Attacks that could open up and stream the front and back camera, send and receive text messages, copy all contacts, call logs, and text messages, and geo-locate via satellite or wi-Fi. Not only are the vulnerable to attacks, but they are great for carrying and administering malware.

For example, Carry from account has been visiting some less-than reputable websites. One of those websites has downloaded a piece of malware called a Trojan on to her smartphone. When Carry then brings the cellphone to work and connects it to her workstation to charge and look at pictures on her phone from the company picnic. When the cell phone connects to the computer, the malware is then transferred to the company workstation. The malware then allows a hacker to back door his way into your network.

High Stakes

There is no end all be all solution to crime, but we can prevent and mitigate a cyber criminal’s attempts on your businesses network with solutions such as Quickwatch to actively monitor network traffic to catch threats before they occur. Security breaches in a company’s network can be very costly both financially and timely. The lifecycle of an attack does not begin and end with a breach. As seen with Advanced Persistent Threat (APT), there could be years of company stalking and unseen or overlooked backdoors in the network. Indirect consequences of these cyber crimes can result in wasted resources and/or missed opportunities from an operations down-time. Moreover, companies may often feel incented to downplay the effects of a breach to avoid media attention.

Many companies may hire and create a proactive IT staff to prevent these situations from occurring. This is a great starting off point, but it is extremely costly. Law Enforcement, healthcare facilities, legal firms, and Industrial complexes all hours extremely important and critical information that could be detrimental to a company’s clients or customers. These IT staffs would need to be compliant to constantly changing standards such as PCI compliance, HIPAA, or even DOD related standards that cost time and money to properly and effectively implement on employees. IT Security is a 24/7 business where an break in the monitoring of network could become an exploitable hole to breach.

Incidentally, from these IOT related devices, a larger margin of risk is introduced that must be mitigated. IOT devices, while new and developing, use Operating Systems just like the computer you are using right now. The only difference is that these devices lack firewalls and other preventative software that is crucial in the security aspect of things. For instance, let’s take the a look at a standard smartphone. Most, if not all smartphones, run a Linux based operating system. These small operating systems can be used as a means to introduce malware or backdoors right at the heart of a company, the employees. Malware can be transmitted from a smartphone directly into a computer inside a network without any insight and it happens more often than people perceive.

Knowing who to trust with your network and critical data is pertinent in today’s world because cyber criminals do not care who or what they target. Having a strong network infrastructure with constant monitoring and real-time preventative security measures can prevent many of these types of attacks from happening. Understanding and knowing where your network vulnerabilities allows you to configure and implement security policies that could stop cyber criminals in their tracks.


by Michael Frauenhoffer