State-sponsored groups are leveraging weaknesses in IoT devices to build botnets, and attacking private industry and public infrastructure in attacks, according to a Booz Allen report.
The year 2019 is likely to see an increase of state actors taking aim at the private sector in foreign companies, continuing an ongoing trend over the past several years, according to the 2019 Cyber Threat Outlook published by defense industry firm Booz Allen Hamilton on Monday.
The report cites economically-motivated attacks, that aim to "steal information, such as intellectual property and corporate bidding strategies, to help an adversary's domestic industry," as well as DDoS attacks against private and public resources, and information warfare strategies that "attempt to inflame or generate public relations and legal controversies to harm targeted sectors and companies with investor, regulatory, consumer, or political backlash."
SEE: IoT security: A guide for IT leaders (Tech Pro Research)
Criminals mount these attacks in a variety of ways, including by exploiting weaknesses in consumer devices and protocols, as well as by manipulating group behavior through maliciously applied sociology.
Here are three ways state actors are targeting businesses, and how to stay safe, according to the report.
1. IoT devices
Internet of Things (IoT) devices are effectively network-attached purpose-built computers, and these computers require the same level of security attention as any desktop or laptop on your network. State-sponsored attacks are increasingly leveraging IoT devices to build botnets, which then tunnel connections through Tor for pseudo-anonymity, and are used for DDoS attacks such as VPNFilter, for which the Ukrainian Security Service claimed Russian state actors were building in an attempt to destabilize the Champions League finals held in that country.
According to the report, this strategy is made easier as "15 percent of IoT device owners don't change their devices' default passwords, and 10 percent of IoT devices use one of the same five passwords for administrative access."
How to protect your IoT devices:
- Change default passwords and close all unnecessary open ports on existing IoT devices on your network.
- Establish a process to inventory, identify, scan, and secure new devices as they are integrated into the environment. Where possible, isolate IoT devices on a separate VLAN and allow principle of least access to govern, monitor, use, and connect to the device.
- Include IoT devices and networking devices in your organization's vulnerability management program. Conduct regular external and internal scans for vulnerable devices. Establish and adhere to service-level agreements for patching with real consequences for non-remediation.
AI-generated or edited video, commonly called "deepfakes," use machine learning to create plausible forgeries used to depict events that never occurred.
"The incorporation of malicious deepfakes could be a valuable tactic for increasing the effectiveness of cyber operations intended to spread false information, discredit or damage the reputation of targeted organizations, or even create political turmoil and spur international conflict," the report stated. "Weaponized leaks-in which data is stolen and released publicly, sometimes with falsified data blended in-have increasingly been leveraged in influence operations." Additionally, deepfakes can be further weaponized by being inserted in stolen legitimate data.
How to avoid deepfakes:
- Develop a reputation-monitoring capability to alert your public relations and communications teams of breaking negative news about your organization, true or not. Conduct regular proactive outreach on social media to establish your public relations team as a trusted source of news to combat these misinformation campaigns.
- Engage your leadership and communications teams in tabletop exercises to plan and practice handling the types of reputation attacks which are most likely to target your organization.
3. Wireless connectivity
Wireless communication protocols in use today are built with a security-first mindset, though vulnerabilities do exist. Legacy systems, such as municipal alarm systems, have been demonstrated as vulnerable, as security researchers have found that control packets can be captured, modified, and replayed. Likewise, DTMF-based systems, like one hacked in Dallas, are inherently insecure.
Security in wireless connectivity can be a life-or-death matter. As the report notes, "In April 2018, the U.S. Food and Drug Administration (FDA) issued an alert to patients using a particular heart implant to update their device firmware, as the implants were found to be vulnerable to wireless cyber attacks using 'commercially available equipment.'"
How to protect your wireless communications:
- Disable unused wireless protocols where possible, such as Bluetooth on laptops and desktops.
- Expand the scope of existing attack surface and penetration test assessments to include known propriety wireless protocols exposed to the public.
- Cheat sheet: How to become a cybersecurity pro (TechRepublic)
- Phishing attacks: A guide for IT pros (TechRepublic download)
- Information security policy (Tech Pro Research)
- Online security 101: Tips for protecting your privacy from hackers and spies (ZDNet)
- The best password managers of 2018 (CNET)
- Cybersecurity and cyberwar: More must-read coverage (TechRepublic on Flipboard)