Over the past year, the HORNE Cyber penetration testing team conducted advanced penetration tests of organizations in many different sectors: from healthcare, financial services, and manufacturing to food production and retail. A constant theme across every tested organization was the proliferation of IoT devices that allowed our team members to infiltrate, observe, and move around target networks.
With the focus of most organizations' defense being placed on the core enterprise IT systems, an attacker can avoid scrutiny and gather the same intelligence without the need to compromise more secure systems. After all, why bother compromising a well-defended file share, when every document worth reading winds up going through well-connected printers, scanners, and copiers? With improvements to the fidelity of security cameras and the microphones in Voice-over-IP devices, an attacker's eyes and ears into a target organization are becoming more effective.
Moving forward, it's important that we realize that the complexity we bring into the network with every device added is the enemy of security. As individuals, organizations, and in the context of national critical infrastructure as a whole, we have to innovate to provide acceptable and improving services; however some effort needs to be put towards balancing the benefits of advanced control systems with ease of deployment and security.
I am looking forward to presenting more on this topic at the upcoming 2016 Fall Meeting of the Industrial Control Systems Joint Working Group (ICSJWG) on September 13th. Established by the Department of Homeland Security's Industial Control Systems Cyber Emergency Response Team (ICS-CERT), the ICSJWG is one of the most prestigious and important security conferences of the year for ICS stakeholders.
Through my presentation entitled Lessons Learned from Exploiting IoT in the Enterprise, I will be sharing how our offense-oriented services have taught us some lessons about the security of IoT systems in the enterprise. I will also share specific case studies of vulnerable IoT devices that we have encountered, and discuss reasons why an advanced threat group might be thrilled to identify them on a target network.
You can register for ICSJWG here. Hope to see you there!