Your Firm’s Cyber Vulnerabilities May Be Where You Least Expect

In our latest article, we take a look at some of the many cyber threats which many companies do not consider – potentially to their cost.

One of the biggest mistakes any firm can make is treating cybers security as a ‘tick box exercise’, as what makes one company secure, may leave another exposed.  In part, this is because the potential weaknesses which cybercriminals will leverage for their gain are far broader than most would ever consider.  And rather like a magician using sleight of hand, while you are focusing on the security of your network firewall, they will be looking in areas that you have yet to make secure.  In this article, we will look into some of the ways your firm may be left open to a cyber-attack which you and your cyber security team may not have considered…yet.

Your legacy devices could be your weakness

Digital security specialists, McAffee, recently undertook research which revealed how phones used by 90% of Fortune 100 companies are vulnerable to cyber-attack.  They discovered that software embedded in Avaya VOIP phones, specifically their 9600 desk-phone model, contained a ‘Remote Code Execution (RCE) vulnerability’, which could allow an attacker to ‘bug’ a phone and listen in to the audio.  While this has now been resolved by the manufacturer, McAfee believes the bug had been there for as many as 10 years.  They explained it was copied from open source code, and the vulnerability had not been detected or resolved in security patches.

It is all too easy for old, outdated, legacy devices to remain active within your corporate network environment, rather than being decommissioned, or made safe with ongoing patching/updates.  A single computer on your network running a legacy Windows operating system can become your firm’s Achilles heel.  The WannaCry ransomware attack leveraged a legacy network transport layer called “Server Message Block” (SMB) used for file and print sharing for Windows-based computers.  Indeed, it is SMB’s interconnectedness which makes it a useful tool for spreading malware.  The solution…ensure each and every computer and device is patched with the latest security updates, no matter how old.

New and unexpected cyber security risks

A recent example of a new vulnerability revealed why firms must look far beyond computer devices for cyber threats.  In this case, researchers were able to hack into a DSLR camera (a Canon E0S 80D), take control, and encrypt all of the photos on the device; and this was possible via wi-fi.  Once they have encrypted the pictures, they can then demand a ransom in return for their decryption.  The researchers took advantage of the Picture Transfer Protocol (PTP), which is unauthenticated and is able to handle “dozens of different complex commands”.

Such a risk could be considerable for a range of businesses reliant on photographic images.  For example, in the context of a law firm, a Wi-Fi enabled camera containing photographic evidence for a legal case could, in theory, be hi-jacked and encrypted – placing the case in jeopardy.  Users of Canon Wi-Fi DSLR cameras (although other camera makes could be affected) have been advised to update the device’s firmware, but also to avoid unsecured wi-fi networks, and switch off networking functions when not being used.

For the medical industry, it will become increasingly vital to prevent the cyber hacking of medical devices and patient implants.  Up to now, devices such as pacemakers and glucose monitors were stand-alone units with no connectivity but connected implants will become increasingly common.  These new devices will herald a new age of real-time clinical data capture and analysis, allowing, for example, doctors and AI systems to analyse the heart rhythm of a patient as they go about their daily lives.  But the downside of this is that they may be vulnerable to cyber-attack.  What is most concerning, according to the Nuffield Council on Bioethics, is that currently, there are no regulatory requirements to prove the cybersecurity efficacy of implants before they are approved.

With the expected growth of IoT devices –  it is estimated by mobile technology firm, Ericsson, that IoT devices will grow “at a CAGR [compound annual growth rate] of 21 percent, driven by new use cases” – the range of connected technology (and therefore hackable) will be mind-boggling.  This reinforces the point that all firms will need to widen the scope of their cybersecurity efforts from traditionally vulnerable devices to any devices with an IP address.

In summary

As we have established, all businesses must widen their field of view when thinking about cyber security to incorporate the old (legacy devices) and the new (the broadening range of connected devices).  By building these aspects into your cyber security strategy, you will be ahead of many companies who have yet to realise that an increasing amount of technology on which their business relies is open to cyber-attack at any moment.

Lineal is a global leader in cyber security.  To find out more about our services, please call us on +44 (0)20 7940 4799 or email info@linealservices.com.

September 6th, 2019|