Invitation to Exploitation: Risks to Enterprise Environments from mass IoT Vulnerabilities
A compromised IoT device on an enterprise network is a launchpad for attack – an invitation to exploitation. IoT is an ever-expanding attack surface about which we have many misconceptions and assumptions but for which we have few policies, regulations, or security. These are devices built for one purpose, not meant to be upgraded and rarely if ever patched. In our pursuit of innovation, more devices are enabled to connect and communicate online. IoT is moving deeper into enterprise environments, driven by consumer demand and BYOD desire, eroding segregation and escaping visibility as the online exposure of both sensitive data and critical systems increases. However, we’ve failed to construct a framework to effectively control and secure the capabilities created.
This talk discusses threats and risks to our enterprise attack surface from a recent series of mass IoT vulnerabilities: Urgent/11, Ripple20, Amnesia:33, Number:Jack, Name:Wreck and more. We’ll walk through an analysis of possible cyberattacks that could leverage these flaws. The objectives are for attendees to better understand IoT in enterprise environments in terms of definition, vulnerabilities, risk and attacks: