Seven IT risks that no one thinks about
NTT Security, which specializes in protecting against IT risks, warns of the threats posed to corporate networks by "non-classical" IT systems, especially from the Internet of Things.
It is now common knowledge that you should not open an attachment to an e-mail from an unknown sender or use a USB stick that you have found. Most employees are no longer that naive. But there are also IT risks that even security experts are often unaware of. The Internet of Things (IoT) and the integration of numerous systems that are not part of traditional IT into corporate networks have created new potential points of attack. The central problem here is that most providers of such systems, such as elevator manufacturers or manufacturers of building technology, are not at home in IT security technology - yet their equipment and systems are highly relevant to it.
Two kinds of IT risks
There are usually two dangers: On the one hand, the respective systems themselves can be disrupted, damaged or paralyzed by attackers, which can have unpleasant to devastating consequences depending on the type; on the other hand, the attackers can use the systems in question as a springboard - "system hopping" - for penetrating corporate networks.
According to NTT Security, companies should keep the following scenarios in mind:
- Elevators are a prime example of the range of applications of the IoT - the troubleshooting or remote maintenance that this makes possible increase the efficiency of the systems considerably. Few people realize that maintenance companies, which may not have their own security concept, thus have mostly uncontrolled access to IT.
- Modern air-conditioning systems are often accessible via the Internet for maintenance purposes - this not only provides dangerous access to the corporate network; tampering with an air-conditioning system - in the data center, for example - can cause devastating damage through overheating or system failure.
- Fire alarm systems are also usually not considered in safety concepts - manipulations can significantly disrupt operational processes, for example through false alarms; they can also cause considerable damage, for example through activation of a sprinkler system.
- Access control systems are often integrated into the IT infrastructure, but this creates a gateway through which attackers can gain not only unauthorized access, but also access to corporate networks.
- More or less all companies depend on an undisturbed power supply. The effects of successful attacks are all the more serious here; an uninterruptible power supply (UPS) or power management systems are not perceived as possible points of attack in most cases.
- Entertainment systems are operated in many companies: for example, the usual TVs in the conference room. Common smart TVs have a connection to the web that can be easily attacked; for example, smart TV cameras can also be activated remotely. But few companies have securing their TVs on their radar.
- Even in canteens, the devices are now often networked, such as smart coffee machines, some of which have displays for awareness campaigns or general company news. Many manufacturers have remote access to the machines for troubleshooting or reordering coffee, but these accesses are not usually monitored. Since the availability of the coffee machine is taken care of, but not the corresponding software updates and security configurations, this creates another gateway into the corporate network.
Expand the field of view
"The IT security philosophy has traditionally focused on IT systems and networks," explains Christian Koch, Senior Manager GRC & IoT/OT at NTT Security. "However, this no longer corresponds to the current threat situation: in the age of the Internet of Things, potentially everything that is powered by electricity is a system component that can be addressed via the Internet and is therefore automatically a potential target for attack. Companies therefore urgently need to broaden their field of vision and consider these risks as well."
Source and further information