Welcome to the SecAware blog

I spy with my beady eye ...

27 Feb 2017

28 days of awareness: day 26

The last-minute idea of using IoT ransomware as a unifying theme across all three awareness streams has worked out nicely.  

Most geeks being gadget freaks, we can easily set the IT and other professionals thinking and talking about the technical side of ransomware on things: taking control of them and holding them to ransom is challenging given their limited capabilities (the things I mean, not the pros!) but on the other hand all those insecure devices littering the network are, potentially, myriad network traffic monitors and launch-pads for attacks on other networked systems. Securing them is also technically challenging, to say the least. It doesn't take much to raise the topic and let the geeks' fertile imaginations elaborate.  Job done.

For managers, ransomware taking over industrial plant and machine tools, robots, vehicles and so forth is a scary thought, given their business-, safety- and environmental-criticality. High stakes, and hence their financial value in a 'holding the business to hostage' scenario, makes the lack of security of IIoT things a significant and potentially strategic concern, all the more so given that ransomware is but one of many threats. It requires a bit more effort to explain the issue - succinctly - to managers, requiring more than just a vague hint about the risks.  

For workers in general, the possibility of ransomware attacks on home automation systems and smart devices (including coffee machines, medical things and children's toys) takes the edge off IoT somewhat. While the high-tech gadget factor is the awareness hook that we hope will catch their attention for starters, when their managers and professional contacts mention the IIoT and technology angles too, they will (hopefully!) think twice about splashing out on all those oh-so-alluring shiny red IoT gizmos. 

IoT and IIoT security is a fascinating multi-faceted topic for security awareness purposes. As with the ransomware module, we bring it up from time to time. We're now thinking about focusing in more depth on IoT security awareness, perhaps this June. A lot has changed since the NoticeBored module on this topic was released way back in September 2015 (is it really less than two years ago? Golly!).

Anyway, right now our focus is on completing the ransomware module. The writing is done apart from the newsletter and the poster images, both of which are in prep so the checklist is thoroughly ticked:

Deborah now has a day or so to proofread the materials, while I ready the NoticeBored website to show-off the new module.

It would be ironic for us to be struck by ransomware right now with the imminent deadline, so as you might expect we are on high alert, making offline backups on a frequent basis. Yes, we eat our own dogfood.


No comments:

Post a Comment