Is your construction company secure? Too often, breaches give criminals access into data, slowing business and costing a lot of money—and no company is immune. Further, new legislation could create minimum security requirements.
One of the latest cybersecurity headlines has been the Citrix breach, and, unfortunately, the incident is just one example of how cybercriminals are always looking for ways to access data that isn’t theirs.
In a company blog post, Stan Black, Citrix’s CSIO, says the FBI contacted Citrix on March 6 to say it believed cybercriminals overseas had gained access to the company’s internal network. More than 400,000 organizations use Citrix solutions, including 99% of the Fortune 100 and 98% of the Fortune 500. Details have yet to be released, but it is estimated the threat actors had access to several terabytes worth of sensitive data stored in Citrix’s enterprise network, and they appear to have gained unauthorized access to the network using password spraying, a technique that exploits weak passwords.
Weak passwords continue to haunt the IoT (Internet of Things) space as many connected devices are sold without basic safeguards and protections in place. One of the calling cards of this era in the tech space, however, is lawmakers’ attempts at creating legislation that would help make the IoT more secure. Two former examples were the IoT Cybersecurity Improvement Act of 2017 and the IoT Federal Cybersecurity Improvement Act of 2018. Now, U.S. Senators Mark Warner (D-VA) and Cory Gardner (R-CO), alongside Senators Maggie Hassan (D-NH) and Steve Daines (R-MT), have introduced the IoT Cybersecurity Improvement Act of 2019. Representatives Robin Kelly (D-IL) and Will Hurd (R-TX) introduced companion legislation in the House of Representatives.
The latest iteration of the cybersecurity bill would require devices purchased by the U.S. government to meet certain “minimum security requirements.” For instance, the IoT Cybersecurity Improvement Act of 2019 would require the NIST (National Institute of Standards and Technology) to issue recommendations addressing secure development, identity management, patching, and configuration management for IoT devices. It would then require any internet-connected devices purchased by the federal government to comply with these recommendations.
Additionally, the legislation would direct the NIST to publish guidance on coordinated vulnerability disclosure, and contractors and vendors providing IoT devices to the U.S. government would need to adopt coordinated vulnerability disclosure policies.
Is the third time the charm for this legislation? As the IoT grows in size and scope, it raises many questions, even as it solves key business problems. According to Symantec’s Internet Security Threat Report released February 2019, targeted attack actors demonstrated interest in using the IoT as an infection vector in 2018. In fact, the research suggests there were 57,553 attacks against IoT devices in 2018. With this many attacks, it’s safe to assume that no device, system, or network connected to the internet is truly safe.
Citrix customers must now wait for the results of the FBI’s investigation to learn whether or not their sensitive data has been compromised (and what the implications will be if their data has been stolen by threat actors overseas). As usual when such breaches occur, the repercussions throughout the space will include many discussions about how companies and customers can protect themselves from future breaches. If 2019 is the year of cybersecurity legislation, it could prompt change across the industry, influencing not only vendors selling connected devices to the U.S. government but also every other player that takes part in the buying, selling, designing, manufacturing, enabling, or supporting of IoT products and services.