We’re in week 2 of Cybersecurity Awareness Month, and the theme this week is “Fight the Phish”. Phishing is when cyber criminals try to lure you into revealing confidential information, passwords, financial information, or other data. Most phishing is done via email (96%), often looking like a legitimate person or organization. Nearly 1/3 of cyber breaches are the result of phishing; when the purpose is cyber espionage phishing is used 78% of the time (2019 Verizon Data Breach Investigations Report). And email-based phishing efforts are fast growing – with 11 times more phishing reports in 2020 than 2016.
When it comes to Fighting the Phish, Viakoo recommends putting focus on IoT devices and ensuring that IoT cyber vulnerabilities can’t be exploited. Cyber criminals know that IoT devices often are not managed by IT, they lack built-in security, exist in large numbers, and they possess powerful computing, storage, and networking capabilities. That’s why many botnet armies are formed using IoT devices, and their scale can be gigantic (some botnets have hundreds of thousands of devices under their control).
The connection between phishing and vulnerable IoT devices is clear – botnets comprised of IoT devices often are responsible for sending massive amounts of spam email, the vehicle most used in phishing attacks, as well as perpetrating distributed denial of service (DDos) attacks. To show the impact IoT botnets can have, one massive botnet (Srizbi) infected over 450,000 devices and was used to deliver bulk spam emails; when it was taken down in 2008, global spam volumes dropped by 93% as a result.
Keeping IoT device firmware on the latest and most secure version should be top of the list for Fighting the Phish. Vendors are good at providing patches or firmware updates to overcome known vulnerabilities; IoT operators are not good at implementing them. Keep focus on preventing known vulnerabilities from being exploited by keeping firmware up to date; automated methods (like Viakoo’s Device Firmware Manager) simplify the process so a single person can update devices at scale across multiple site and geographies.
In addition, beware of phishing attacks that aim at getting IoT devices credentials. In getting IoT credentials via phishing attacks, cyber criminals are able to plant ransomware, establish botnet armies, and most importantly gain control of data. Consider moving to a Zero Trust architecture where certificates (802.1x/TLS) are used to verify device identity and encrypt data traffic instead of login credentials.
The grow of IoT as mission critical devices to many organizations has clearly expanded the attack surface cyber criminals can exploit for phishing and other cyber attacks. Using automated firmware updates, deploying and managing certificates on IoT devices, and maintaining basic cyber hygiene like enforcing password policies on devices is the best way to stop these cyber threats from impacting your organization. As the leader in IoT vulnerability remediation, Viakoo believes the battle can be won against phishing – if you do too reach out and let’s take on this fight together.