Trend Micro CTO Calls for EU Smart Device Security Standards
Trend Micro has warned that countless European organizations are under threat of attack because unsecured IoT devices, databases, servers and industrial control systems may be publicly searchable from the internet.
In its US Cities Exposed study released at RSA Conference yesterday, the firm claimed that millions of such systems are searchable via Shodan, putting organizations in all sectors as well as individuals at risk.
This means hackers could easily look for vulnerabilities or craft targeted attacks designed to compromise things like firewalls, webcams, network-attached storage (NAS) devices, routers, printers, phones, media players, web and email servers, databases and wireless access points.
NAS devices and databases could contain highly sensitive corporate IP and customer data, industrial control systems offer an opportunity to sabotage key equipment and compromised smart devices have already been used in serious DDoS attacks by the Mirai botherders, Trend Micro global CTO, Raimund Genes argued.
The problem is not just US-based but a global one, which means organizations in Europe also need to be aware that any exposed system represents an incursion point for attackers into the corporate network, he added.
IT teams can help to mitigate the risks via things like network segmentation, tighter access controls, log analysis, data encryption, incident response and threat intelligence, said Trend Micro.
But Genes also called on European policymakers to develop and enforce smart device security standards in the region.
“Products without a baseline of adequate security simply shouldn’t be allowed to be sold here. Politicians and regulators should wise-up to the scale of the threat we’re facing, and design something akin to the 'CE mark' – a seal of quality for internet-connected products,” he argued in a blog post.
Genes warned that although it will improve data protection standards, the coming European GDPR doesn’t address the threat posed by smart devices exposed to the public internet.
“Until there’s blood on the streets nothing will happen. But this is a major issue,” he concluded.
Source: Information Security Magazine