The Internet of Things (IoT) is becoming a bigger and more complex cybersecurity threat that IT managers must take seriously, according to industry experts.
Social engineering is essentially the act of manipulating people so they give up confidential information. The types of information that criminals are seeking can vary, but when individuals are targeted, the criminals are usually trying to deceive you into giving them your password or banking information. Alternatively they could be trying to access your computer to secretly install malicious software, which will then give them control over your computer and allow them access to your personal information.
Typically, social engineering hacks are done in the form of phishing emails, which seek to have you divulge your information, or redirect you to websites, such as fake banking or shopping sites which look legitimate and entice you to enter your details.
New Threats for Individuals
The threat of social engineering in the IoT consists of hacking things that are connected in your world. In the news are unsettling reports of the hacking of baby monitors and TV’s. Connected things can be a gateway into other more powerful connected devices and sensitive information. Social engineering attacks within the IoT will challenge confidence in safety and privacy and not just the security of the IoT.
Social engineering in the IoT is a strong type of force-multiplier as people ultimately have control of all 'things' connected: hack the person and you have access to it all, which could be their home, their business, their car, and their personal information. We all agree that the scenario of someone hacking into our personal home network and gaining control of say, our connected garage door opener or door locks is horrifying to say the least, but think about the bigger picture. If the criminal does manage to access the computer platforms or network that controls all these things, they now have access to all of your personal information, which can lead to identity theft or fraud.
New Threats for Businesses
As the Internet of Things, mobility and ever-expanding reliance on networked computers or connected devices continues to increase, the threat of social engineering also increases. A major weakness for businesses is that hackers are more sophisticated than ever and adept at social engineering. They are able to piece together data from social media, corporate blogs and data painstakingly pulled from systems, devices and well-meaning employees, which these cyber-attackers will use to attack networks and steal invaluable data, hold corporations hostage, or otherwise damage their targets.
Combatting Social Engineering Threats
There are multiple ways to combat social engineering and phishing attacks, but they are most effective as a layered approach. Security perimeters today are still permeable and we must take steps to address the holes. Security should be everywhere and it should be a fundamental part of the fabric of the IT and network infrastructure. Here are a few tips to combatting social engineering attacks in your business:
- Education – ensure all employees and customers are educated on social engineering attacks and how to spot a phishing scam.
- Strong password policies – create guidelines to ensure strong passwords are being created and changed on a regular basis.
- Device certification – Give every IoT device an identity to ensure devices only communicate with other trusted devices. Using PKI-based identities provides key information security capabilities, including authentication, encryption and data integrity.
- Multi-factor authentication – to make it more difficult for hackers to access our devices we should implement multi-factor authentication. This mean even if hackers had access to your password, they still wouldn't be able to access accounts.
- Installing updates – manufacturers should always be looking out for vulnerabilities and supplying fixes and patches in their updates. In the education of your users you should make them aware of how critical updates can be to ensure they are getting installed.
If you have missed any of our previous posts in the ‘Threats to the IoT series’ then you can look back using the links below.
- Beware! Data And Identity Theft in the IoT
- Man-in-the-Middle Attacks in the IoT
- The Rise of Thingsbots
- Closed for Business - the Impact of Denial of Service Attacks in the IoT