Near the end of a report on Chinese hackers infiltrating the U.S. Chamber of Commerce, the Wall Street Journal dropped the details that a thermostat at a Chamber-owned property was found communicating with an e-mail address in China and a printer in one of its offices spontaneously started printing Chinese characters.
Those small details speak to a larger problem facing network security today — there are so many devices that use the Internet, understaffed network administrators may not have time to check the security on every device that gets frictionless firmware updates or sends diagnostic information to a company.
As cyberattacks become more complex and sophisticated, network administrators are being advised to concentrate on the most important parts of their networks, and often miss small vulnerabilities.
“Everything has a web interface these days,” said Ron Gula, the chief executive of Tenable Network Security. “What we call embedded devices — security cameras, fax machines, the phone system — are usually out of scope of the traditional IT security person, who’s used to being conversant with Windows, UNIX, routers and things like that.”
Hackers, particularly ones targeting international targets, may not know that they are dealing with a thermostat or a printer when they access the network, but will try to use any way in to a network that they can, he said.
For network security professionals, Gula laid out some basic ground rules.
“Ask yourself if you know what’s on your network. Just because there is a printer on the network, that doesn’t mean the printer should be able to reach out,” he said.
There’s been a clear change in device behavior, he said, and network professionals didn’t know that there were devices on the network sending outbound e-mails.
Recognizing that IT staffs can’t be monitoring every action of every connected device on a given network, Fula said that companies and agencies should submit to regular privacy audits to look for anomalies.
Another thing that network professionals have to do, he said, is make it clear to all employees that keeping hackers out of a network is as much their responsibility as it is the responsibility of firewalls and antivirus software.
“Spam is well known but it’s often framed as ‘not my problem,’ he said. “We think about how to keep the hackers out, keep the spam out, but don’t think ‘I’m part of the problem, what should I be looking for.’”