Seven IT risks that no one thinks about

It is now common knowledge that you should not open the attachment of an e-mail from an unknown sender or use a USB stick that you have found. Most employees are no longer that naive. But there are also risks that even security experts are often not aware of. The Internet of Things (IoT) and the integration of numerous systems that are not part of traditional IT into corporate networks have created new potential points of attack. The central problem here is that most providers of such systems, such as elevator manufacturers or manufacturers of building technology, are not at home in IT security technology - yet their equipment and systems are highly relevant to it.

There are usually two dangers: On the one hand, the respective systems themselves can be disrupted, damaged or paralyzed by attackers, which can have unpleasant to devastating consequences depending on the type; on the other hand, the attackers can use the systems in question as a springboard - "system hopping" - for penetrating corporate networks.

Keeping an eye on seven IT risks

In the opinion of NTT Security companies should keep the following scenarios in mind in particular:

1. Elevators are a prime example of the range of applications of the IoT - the troubleshooting or remote maintenance that this makes possible increase the efficiency of the systems considerably. Few people realize that maintenance companies, which may not have their own security concept, thus have mostly uncontrolled access to IT.
2. Modern air-conditioning systems are often accessible via the Internet for maintenance purposes - this not only provides dangerous access to the corporate network; tampering with an air-conditioning system - in the data center, for example - can cause devastating damage through overheating or system failure.
3. Fire alarm systems are also usually not taken into account in safety concepts - manipulations can significantly disrupt operational processes, for example through false alarms; they can also cause considerable damage, for example by activating a sprinkler system.
4. Access control systems are often integrated into the IT infrastructure, but this creates a gateway through which attackers can gain not only unauthorized access, but also access to corporate networks.
5. More or less all companies depend on an undisturbed power supply. The effects of successful attacks are all the more serious here; an uninterruptible power supply (UPS) or power management systems are not perceived as possible points of attack in most cases.
6. Entertainment systems are operated in many companies: for example, the usual TVs in the conference room. Common smart TVs have a connection to the web that can be easily attacked; for example, smart TV cameras can also be activated remotely. But few companies have securing their TVs on their radar.
7. Even in canteens, the devices are now often networked, such as smart coffee machines, some of which have displays for awareness campaigns or general company news. Many manufacturers have remote access to the machines for troubleshooting or reordering coffee, but this access is not usually monitored. Since the availability of the coffee machine is taken care of, but not the corresponding software updates and security configurations, this creates another gateway into the corporate network.

"The IT security philosophy has traditionally focused on IT systems and networks," explains Christian Koch, Senior Manager GRC & IoT/OT at NTT Security. "However, this no longer corresponds to the current threat situation: in the age of the Internet of Things, potentially everything that is powered by electricity is a system component that can be addressed via the Internet and is therefore automatically a potential target for attack. Companies therefore urgently need to broaden their field of vision and consider these risks as well."

Source: NTT Security