This interview originally appeared in CyberNews
With the pandemic forcing everyone to use personal devices and networks from home, companies face having many vulnerable spots which become a welcoming door for cyber felons. It can then be used to hack into the company, including its IoT devices.
Not having proper protection tools for IoT devices can cause major consequences to both businesses and individuals. As Bud Broomhead, the CEO and Founder of Viakoo, an enterprise IoT security company, says, “breached IoT devices can have devastating impacts, such as changing the chemical balance in a municipal water supply, replacing real camera footage with deepfakes, or disrupting transportation systems.”
However, traditional cybersecurity measures might just not be enough to secure a whole organization. That’s why we invited Bud Broomhead to discuss what he’s learned along his journey as a cybersecurity business leader.
How did Viakoo originate? What has your journey been like?
Viakoo’s origin is in its name – “akoo” is a Greek root word meaning “to listen to the point of comprehension,” same root word as acoustic, and “via” is a path. So, Viakoo means a path to comprehension through careful listening.
When we founded the company back in 2013, the original idea was to listen to metadata about IoT systems and turn that data into useful information to help customers manage uptime and performance. As we perfected Viakoo’s technology, we extended our capabilities to also focus on the cyber aspects of the devices used in those IoT applications. True to our name, we listened to customers to address cyber issues to broaden the scope of securing their devices.
Security cameras, kiosks, card access readers, and smart building devices are considered to be “cyber-physical,” meaning they have both a physical and a cyber presence. Whether loosely or tightly coupled, there are three key elements to securing these devices which include certificates of authenticity for each device, security fixes via firmware upgrades, and credential enforcement and rotation. The core challenge is to do these things at scale with automation.
Viakoo has delivered over one billion hours of security management on over one million IoT devices at many of the world’s largest and most distributed organizations, ensuring the highest level of cybersecurity and protection. We’ve been leading the way to deliver effective solutions and shielding our customers’ environments, and we are still listening and responding.
Can you introduce us to your Viakoo Action Platform? What are its main features?
We recently launched our Viakoo Action Platform which ensures devices have vulnerabilities remediated, can rejoin the network safely, and function properly. This is possible due to the use of an enterprise – class solution, delivering full device remediation, repatriation, and compliance. The platform provides 802.1x certificate provisioning and management, firmware upgrading for security fixes, and password enforcement. Patents on reaching IoT devices across multiple network topologies.
Our goal with the Action Platform is to automate the ability to identify, monitor, and update device firmware, passwords, and network certificates for an unlimited number of devices across an enterprise to keep them operational, reliable, and secure. The platform repatriates the remediated devices back into production as fully operational network citizens with full audit documentation for compliance and governance. This is really an ideal solution for cyber buyers who are concerned about the massive cyberattack surface their collection of IoT devices present while delivering value to the business by working across multi-vendor environments to deliver the real-time view of every IoT device.
The platform is agentless and works across multi-vendor environments to provide a real-time view, and we partner with leading discovery tools like Armis, Claroty, and Forescot for threat detection. We’ve had major traction with Fortune 100 companies across industries like finance, healthcare, and other large enterprises as part of a holistic cybersecurity approach.
What are the most common vulnerabilities associated with IoT devices?
Unlike IT systems, IoT devices often lack automated methods of remediating vulnerabilities, giving the potential for this vulnerability to be present for a long time. Bad actors are eager to exploit any crack in your defenses, including outdated passwords, firmware, or certificates. Because devices are so distributed and often of different makes and models, manually managing device security across multiple locations like cameras, kiosks, intercoms, and other equipment can be very difficult to accomplish at scale.
Such threats include the recently discovered cyber vulnerability in Apache Log4j, a widely-used, open-source Java software package. This vulnerability can be exploited on IoT applications devices as well as traditional IT applications and devices. When exploited, this vulnerability allows an attacker to run arbitrary code on the device, giving full control to the attacker. Once under control by a threat actor, the risk from a breached IoT device can have devastating impacts like changing the chemical balance in a municipal water supply, replacing real camera footage with deepfakes, or disrupting transportation systems.
How did the pandemic affect the IoT landscape? Have you noticed any new security issues arise as a result?
Without question enterprise cyber risk is higher with many employees working from home; the network is not typically under the control of corporate IT and the protection that corporate IT can provide. The good news is this is not an unfamiliar situation – enterprise IoT devices typically operate on networks not managed by corporate IT, and the best practices from IoT security directly apply in work-from-home situations.
You often stress the importance of implementing the Zero Trust model. Would you like to share more about this approach?
Implementation of Zero Trust initiatives is rapidly expanding as a valuable methodology to help organizations ensure security for their critical cyber assets. Zero Trust models are based on the principle of “never trust, always verify,” restricting access to networks, applications, and infrastructure unless explicit validation is confirmed. This model trusts no one at each step of access continuously without sacrificing user experience or system performance. Typically, this model has been applied to traditional IT infrastructure, such as networks, applications, and servers.
Having clarity over what is in a software distribution via an SBOM makes finding vulnerable systems easier. Automated implementation of security fixes is needed to address the scale issue, both number and geography, especially with IoT systems. Extending Zero Trust to IoT/OT devices can add additional security to prevent vulnerabilities from being exploited.
Why do you think so many companies struggle to keep all of their devices under control?
Businesses definitely struggle to keep pace with the cyber vulnerabilities from the thousands of unmanaged and IoT devices that keep their employees and facilities secure and perform critical functions to ensure the business or facility runs smoothly. It’s estimated that more than 40 billion connected IoT devices will be operating by 2025, and each one is a potential entry point into a business. However, manually managing device security across multiple locations, which may include cameras, kiosks, intercoms, and other equipment, is impossible at scale.
Cybersecurity experts recognize the fast-growing threats and vulnerabilities to their organization’s IoT infrastructure (like cameras, office equipment, medical devices, building controls, etc.). However, IoT vulnerability remediation is not as straightforward as traditional IT systems, with several challenges that make it very different to manage.
IoT is distributed, from employee devices and servers to security cameras or lobby badge scanners. The devices in the network often have multiple makes and models, so having to learn and manage through several vendors’ unique consoles and interfaces adds to the complexity. Also, personnel responsible for IoT devices are usually not IT people. In many organizations, these devices would be under the control of OT (operational technology) personnel who may not have the skill sets and proficiency that IT personnel would have.
What should be the first steps in securing an enterprise’s IoT devices?
Because IoT devices are typically managed by the line of business, and credentials to access those devices may be more available than IT systems (e.g. the facilities engineer who can access the HVAC system), particular caution should be taken to ensure IoT passwords are managed, rotated, and secured in the same way as IT systems would be. Likewise, ensure all network-connected devices are using the latest (and most secure) firmware by immediately updating all devices that have not been and have automatic updates enabled if the device allows.
For employee devices, they should connect to a segmented or separate network from general home use to reduce the risk of malware from home use spreading into the corporate network.
Similar to a “guest network”, almost all home routers have the ability to support a separate network that can be secured independently.
Know what is on your network by using an asset discovery solution that shows all the network-connected devices. This can uncover rogue devices connected to your network that are controlled by others, which can then be blocked. Knowing all your network-connected devices is the first step to securing them.
And for individual users, what security measures do you think everyone should take nowadays?
With the prevalence of exploits in widely used plugins and components, it’s up to each and every end-user to take action to prevent the vulnerability from being exploited against them. Everyone should think about their online security both in and out of the office. The top priority is to use a password manager and generate new unique passwords for each device. Cybercriminals know that many people use the same passwords for home use as they might for business use. Make sure you don’t reuse passwords and rotate passwords regularly to protect against passwords being misused.
Use a VPN for connecting to corporate systems so that traffic from the home can be encrypted. Check with your IT department if they can install certificates (802./1x and TLS/SSL) to authenticate the devices used at home and encrypt traffic between them. This way, even if a threat actor intercepts the traffic, they cannot use it.
Last but not least, it’s important to use antivirus solutions on all devices that can scan both files and applications to ensure they are not vulnerable. Consider eliminating unused apps, both to make antivirus scans faster and to reduce the potential attack surface.
Share with us, what does the future hold for Viakoo?
Ask yourself whether you see your world getting more or less smart devices in it. Presuming you answered “more” and not less, we see the market coming straight at us. And given the rising stakes in cybersecurity, it is rapidly moving to becoming a must-have or in fact, a critical element of any enterprise security portfolio. I like our side of the football on this one.