Imagine an after-hours store burglary. But instead of the perpetrator escaping into the night with whatever merchandise he can fit in his backpack, he takes up permanent residence in some dark recess of your store, emerging periodically to see what’s new to take, to poke around for what he can sell, to vandalize, and invites his friends over. Then imagine he’s been in there for nearly a year and the harm he could do in that time. While that scenario is fantastical, in the cyberworld, right now, countless retailers are hosting such uninvited criminal houseguests after they’ve infiltrated through an unsecured device.
“What he’s done in that case is to create a little beachhead, from which he’s going to pivot to other resources, to the HR system, or POS system, or go after credit card data,” explains Wayne Dorris, a certified information systems security professional and business development manager for Axis Communications covering North America. “And what they really want is simply to stay on that network, to get as much data as they can, and depending on the site and business, to look for different ways to continue to exploit their access.”
Extending the metaphor, imagine our burglar wasn’t some Ocean’s 8 mastermind, and instead of rappelling from a hole in the roof he simply walked in via an unlocked backdoor that you recently had installed. That’s how easy entry can be for cybercriminals, especially at retailers that lack full-time IT staff or contract out for IT services.
“A store may put an audio speaker or an IP camera onto the system, and that device’s security is just not something on their radar; they’re paying attention to the camera for the pictures it produces,” explains Dorris. “They’re thinking, ‘it’s just my camera, it’s not my POS device, and it doesn’t run on a server.’ They don’t think it’s vital.” But even if a device isn’t strategically important itself, it can provide intruders a way into systems that are, he warns. “For a cybercriminal that is golden for me,” he said. “If you don’t patch non-critical devices, they can still become a way to lead to critical losses.”
Large retailers often have network policies and requirements that make such intrusions less successful, which is why the FBI finds that small and medium businesses (SMBs) represent about 75 percent of the cyberattack surface—and why data show 50 percent of SMBs have at least one compromised device on their system. To help protect SMBs, as well as parts of enterprise organizations, Axis Communications has a hardening guide for devices and provides an Access Device Manager that is perfectly suited to help them create a cybersecurity template that prevents network add-ons from creating a vulnerability, to ensure devices are managed in compliance with corporate information security policy, and to comply with encryption and configuration requirements.
Awareness of the risk from IoT devices has grown, certainly, but the threat hasn’t diminished. On average, there is still substantial lag time—several months—between when a vulnerability is announced, and a patch issued, to when a device is made secure. Meanwhile, cybercriminals have substantially improved their ability to exploit that gap.
“Attackers have always looked at announcements of vulnerabilities and the release of patches and worked to see if they could weaponize that vulnerability—whether the vulnerability provides them an opportunity to exploit it,” explained Dorris. “But that used to take time. What we find now is that attackers only need 7.5 days to do the work necessary to decide if they can weaponize it and use it to exploit a company’s system.”
Cybercriminals bank on that window, that difference between the week or so they need to use a vulnerability to exploit a system and the months it takes for the average company to patch their system—about 120 to 190 days, research suggests. “The quicker I can turn it into an exploit, the longer I can be on your system. We see this all the time,” noted Dorris. When a SMB finally discovers they have a compromised device, it probably originated eight or nine months earlier, data show.
Complicating the patch process is that a device vulnerability may not be associated with its unique components. It may be due to flaws in open source software or other underlying aspects of a device, which means a fix for a camera may originate from a separate software company. Solutions like Axis Device Manager automatically installs a patch if an underlying component is not up to date and needs it; reaches out to check if firmware is up to date; prompts good cyber-hygiene from the user management perspective, like changing passwords; and coaches end-users to follow best management practices. It’s also a tool for removing unnecessary system links that intruders can exploit when vulnerabilities do arise. For example, if the purpose of a camera is to simply send footage to an archive system, then it can be run on a user account and doesn’t need to have password administrator credentials associated with it. “The tool can be used to remove such unnecessary vulnerabilities,” explained Dorris, who networks with standards organizations, associations, partners, and customers to enhance Axis’ IP solutions.
Once an unpatched device permits entry, a cybercriminal can do untold damage. According to the National Cyber Security Alliance, 60 percent of small and midsized businesses that suffer a cyberattack go out of business within six months—but retailers suffer even if a device’s exploitation isn’t a business killer. Perhaps an intruder will navigate from an exploited device to loyalty account data, which can then be sold to individuals so they can create accounts to buy up the complete stock of high-demand retail inventory without being detected. Or, once in, an intruder might take command and control of devices and then sell access to them on the Dark Web, to people who want to use compromised internet connected devices to amplify a DDoS attack, for example.
“That retailer will have no idea that they’ve been compromised, or that their 20 cameras are being used to attack other business,” explained Dorris. “You can’t expect that you’ll see the problems on your system when you’re a small or medium-size business. An enterprise system might notice, but without IT people you might never even wonder, ‘why do we have all this outbound traffic?’”
Stores need a plan for enforcing good cyber-hygiene. Otherwise, all kinds of mischief—and worse—is possible. “The biggest thing is to have a method in place to ensure a good process for keeping firmware up to date, changing access usernames and passwords if you think you’ve been compromised, and changing them on a regular schedule,” said Dorris.