IoT is a novel technology that is susceptible to more than 70,000 known CVEs: Keith Martin, F-Secure

0
Keith Martin, Head of Asia Pacific and Corporate Business, F-Secure

Keith Martin, Head of Asia Pacific and Corporate Business, F-Secure, in an interaction with CRN, talks about the various changing scenarios of security in India and shared his outlook for the adoption of IoT

How do you look at the cyber security scenario of India with the transforming technology edge?
India has worked incredibly hard on the cyber security front. The National Cyber Security Policy was incorporated as early as 2013. The policy is aimed at developing a secure and resilient cyberspace for Indian citizens and businesses. Additionally, it launched its own Computer Emergency Response Team (CERT-In) in 2004. Supporting the nation’s determination to dynamically address the burgeoning cybersecurity challenges, MeitY (Ministry of Electronics and Information Technology) launched Digital Swachhta Kendra, a botnet cleaning and malware analysis centre, in 2017 as botnet-based attacks increased on a global level. It had also instituted a federal CISO to spearhead and monitor cyber security policy, planning, and implementation. Something that isn’t recognised on a macroscopic level is that India is also equipped with two-factor authentication for online payments. This decreases its exposure to fraudulent transactions. The country also constantly collaborates with industry partners, as well as international players, and is benefitted by this threat intelligence collaboration. These initiatives and collaborations add to the nation’s defensiveness as it emerges as a promising digital market across the globe.

How IoT security would be a crucial factor? Does F-Secure work closely with the IoT companies and what kind of opportunities does it hold for cyber security players?
IoT technology has innumerable merits that considerably enhance our productivity in both the business landscape, as well as in our day-to-day lives, but this efficiency comes at a price. IoT is a novel technology that is susceptible to more than 70,000 known CVEs (Common Vulnerabilities and Exposures). Despite this astounding figure, the new and emerging technology is still believed to have more vulnerabilities that are every now and then discovered by industry players and will be discovered over a period of time. F-Secure itself discovered a vulnerability in Foscam’s IP camera last year. This makes India’s rapid adoption of the technology a bit perilous from the cyber security perspective. Such deployments must always be backed with relevant cybersecurity countermeasures.

With IoT technology manufacturers racing to bring their products to market, security features are unlikely to be a high priority. As such, this is one of the few areas of technology where regulation may greatly benefit the end-users and the wider security ecosystem. Naturally, there are opportunities for cyber security companies to assist IoT device manufacturers in developing security strategies. F-Secure, for instance, has a cyber security assessment service for hardware and software companies wishing to test their products for vulnerabilities. F-Secure is also working with router manufacturers and internet service providers catering to domestic customers. Home routers are the entry points to the internet connectivity of people’s homes. Though home routers may not be ‘IoT devices’ as such, they are an essential component of connected homes; securing them, therefore, becomes critical. F-Secure sees a great opportunity in the home router security space going forward.

At the same time, we believe that endpoint protection for personal devices (such as Windows PCs, Macs, Android phones or tablets) is still important. Compromised IoT devices might be used “as is” for malicious activities such as botnet attacks, but they can also be used for infecting other personal devices on the home network. This could then lead to, for example, exfiltration of sensitive personal files or theft of login credentials. Hence, endpoint protection (for the platforms that support it) is still very relevant and needed.

What are your views on the status of General Data Protection Regulation(GDPR) and its importance?
GDPR has been prepared by the European Parliament. This development, though taking place in the EU, also holds relevance for Indian companies that outsource their services to the European nations. Such companies need to thoroughly analyse their business model vis-à-vis the enacted regulation and comply accordingly. Those that do not comply risk losing business from European companies.

How has been the response from the India market for F-Secure in comparison to global market?
Although each of our markets around the globe is unique, we have seen a great degree of success in larger enterprises, as well as the government sectors, within India for several of our on premise solutions. We do see a bit more hesitation in this market regarding the cloud based product offerings than we have in other locations, but we feel that as the India market continues to evolve, we will also see a similar level of adoption of our cloud solutions that we have seen in other areas.

What are the various industries F-Secure is working in for cyber security?
We are working on very broad range of industries, from general cyber security for companies to specialized sectors, such as manufacturing industry, energy, banking, medical, aerospace, automotive and maritime cyber security. If it has importance for the proper functioning of a modern society, we are there to protect it.

How important is the end-point detection and response in the field of cybersecurity?
Businesses often make massive spends protecting their IT infrastructure and data from external threats. However, the biggest and rarely detectible threat is that of a malicious insider. A malicious insider can have access to sensitive information, such as product development, R&D initiatives, and market strategy, which can have a detrimental outcome for the company. Thwe insider may have access to hardware systems and can create an additional layer of vulnerability. This presses the need for organisations to have a proactive end-point detection and response solution. Also, as many business corporations begin practising the ‘BYOD’ (Bring Your Own Device) approach, access to core IT infrastructure of an organisation can be penetrated by compromising these low-security devices. Hence, end-point detection has become nearly imperative for modern businesses.

Which are the major steps to be taken for mobile cyber security?
India’s NPCI (National Payments Corporation of India) ensures that all of its digital payments are safe and secure. As I have already spoken about two-factor authentication, it must be understood that such steps have established multiple layers of security for Indian customers. But, as there are advantages, there are limitations as well. Indian smartphones are presently being extensively used for digital payments through e-wallets and banking applications. These smartphone-based applications, however, are not equipped with hardware-level security. So, security issues on the mobile endpoint can put the integrity of user data at risk. Moreover, global cyber attackers constantly keep changing their TTPs (Tactics, Techniques, and Procedures) and a more proactive approach is required to protect the increasingly digitising nation.

How cyber security plays a vital role in developing India’s smart cities, and is F-Secure working with any Indian Smart City project?
Smart cities feature a range of digital devices and framework, including cloud systems, network cameras, and internet-connected sensors, that can be compromised by a cyber-attacker. This directly increases the network boundary that needs to be protected and vulnerabilities eliminated on the hardware and software-level before we unveil our smart cities to the masses. Without cyber security, a smart city cannot exist, as a smart city is essentially a control system, and that implies it must be under control of the intended users, not criminal organisation or a hostile nation state. We are not currently working with any Indian Smart City project, but that can change.