Hackers are relentless adversaries who incessantly create new tools and methodologies to take advantage of known exploitable vulnerabilities within networks.
While some exploits may be discovered long after the introduction of a new software application or network device, a large contributing factor to the dynamic nature of cybersecurity is the fluid state of technology itself. New products, software, and protocols are constantly being introduced. While these new technologies often bring new potential productivity and added value to your company, they also introduce a common security conundrum. How do you secure a new gadget or technology you are unfamiliar with?
An Unprecedented Windows of Change
COVID-19 has transformed the way we work in a very short amount of time. Cybersecurity personnel who only months ago spent most of their attention and budgets towards on-premise security, now must protect personnel and resources dispersed across remote workspaces. As companies have scrambled to provide infrastructure and policies to put remote work strategies into place, they have found themselves having to transform their security methodologies as well. In addition, on-premise environments are also being transformed as new technologies are being introduced to combat the COVID-19 virus itself.
So let’s look at a real example of securing a new technology. Many companies have recently implemented temperature scanners into offices as a precautionary measure to identify likely COVID-19 carriers. Something as simple as a temperature scanner may sound quite innocent in regard to cybersecurity but think again. In 2018, hackers were able to breach the network of a Las Vegas casino by exploiting a smart thermometer that resided within an aquarium located in the main lobby. The thermometer scanner monitored the water temperature of the aquarium and was connected to the casino network through an IoT connection. By hacking the device, the attackers made off with a 10 GB database of the richest high roller guests that frequented the casino. The database was uploaded from the thermometer to the cloud where it was eventually downloaded to a device in Finland.
In light of this attack, some companies are concerned about the vulnerability of their recently deployed temperature scanners. The fact is that any device that can connect to a network, the Internet, or another device imposes an inherent risk to your enterprise. To date, there have been no reported attacks involving temperature scanners deployed during the COVID-19 outbreak. By and large, handheld thermometer scanners are secure from hackers unless connected by a cable, Bluetooth, or wireless to another device or network. Still, Protected Health Data (PHI) is subject to regulatory requirements (HIPAA) including equipment such as a temperature scanner and companies should be aware of their obligations.
Simple Guidelines to Protect New Technology
While every technical device is different, there are simple security measures you can take that will go a long way in securing them. Due to the interest in securing thermometer scanners, we are including some of the guidelines provided by the FDA concerning the management of cybersecurity in medical devices.
- Always register a new product with its manufacturer. This is usually done today through the vendor’s website. By officially registering the product, the vendor can provide you with updates and alerts concerning the product.
- Turn WI-FI or Bluetooth off when the device is not in use.
- Limit access to devices through an approved user authentication method. This includes username/password, smartcard, or biometric recognition.
- When applicable, employ a layered authorization model that differentiates privileges based on the user’s role (standard user, system administrator, etc.) or device role.
- Always avoid the use of hardcoded or common passwords. Hardcoded passwords are passwords that are identical for a designated device type. Passwords for any device should adhere to your company’s password policy in the same way that user desktop machines and servers are required. Unfortunately this isn’t always possible due to the inherent password restrictions of the device.
- When appropriate, have users completely log out of a device before leaving it.
- Enable some type of automatic timer to terminate sessions of inactivity.
- Where appropriate, provide physical locks on devices and their communication ports to minimize tampering.
- Keep your device updated with the latest firmware updates and security patches. If possible, require user authentication or other appropriate controls before permitting software or firmware updates.
- Mandated corporate security standards and policies should be created and applied to any new technology before deployment.
One of the most effective tools you can have in your cybersecurity arsenal is a vigilant employee that understands the importance of practicing proper cyber hygiene.
Regular cybersecurity training that emphasizes best practices will go a long ways. Of course, the crucial area to navigate is cyber security regulatory requirements.
Organizations must understand and document what data is used, how it is used and stored, and implement reasonable safeguards according to applicable standards such as HIPAA and state Privacy regulations.