Yesterday, at about 11am EST, a hashtag started trending on Twitter: #Facebookdown. The social media site and its sister, Instagram, were suffering an outage. Some users weren’t able to log in to their accounts at all while others were experiencing limited functionality.

It was the worst disruption to the platform since 2008 when Facebook user numbers were 150 million – compared with 2.3bn monthly users currently on the social network.

During and after the outage, speculation was rife about a cyber-attack. After all, the social network has had a bad year that has seen it be a victim of several successful hacks and data leaks.

 Much of the speculation centres around whether Facebook could have been the victim of a distributed denial of service (DDoS) attack, where a website is taken online because an attacker is flooding it with traffic. Facebook strongly denies this.

What we know so far

Facebook has responded. A spokesperson told me: “We’re aware that some people are currently having trouble accessing the Facebook family of apps. We’re focused on working to resolve the issue as soon as possible, but can confirm the issue is not related to a DDoS attack.”

But what else could it be? Suggestions range from a simple misconfiguration error, to a planned cyber-attack by a malicious actor.

The case for

Only time will tell the real reason for the outage, but experts don’t dismiss the idea that a malicious actor could be at fault. “Despite initial reports that the issues at Facebook and Instagram have been caused by an overloaded data server, there is still every possibility that these outages could be the result of malicious actors,” says Dr Max Eiza, lecturer in computing at the University of Central Lancashire.

Dr Eiza points out that it has previously “taken weeks” for tech giants to own up to the fact that system outages have been the result of DoS attacks (something which Facebook strongly denies). However, says Dr Eiza, until a full investigation has been conducted, it’s impossible to rule this out.

And even if this issue is the result of internal failures, Dr Eiza warns that there is still a chance that malicious actors could have seized this downtime to get hold of data. “There’s every possibility that the data of Facebook and Instagram users could be at risk.”

Edward Whittingham – a former police officer and qualified solicitor, who is now the MD of The Defence Works – is yet to be convinced by Facebook’s denial. “Facebook have flat out denied that their outage could be caused by a distributed denial of service attack but I’m yet to be convinced – especially given their very vague explanations,” he says.

Indeed, Whittingham says the outage “has all of the hallmarks of a DDoS attack”, given that the sole purpose of these types of attacks is to bring down entire websites.

However, he also points out that Facebook should be well guarded against these types of attacks. “They will use such incredibly huge volumes of bandwidth it’s perhaps difficult to see how they couldn’t absorb even a monumental DDoS attack.”

He also questions what else could be lurking behind the scenes. “I suspect that this could well be an internal issue but, in the absence of any other evidence, who’s to say this internal issue wasn’t caused by some sort of attack – whether it be phishing, social engineering or otherwise.  After all, Facebook would make for a pretty big target if someone were to be successful.”

So, who would want to attack Facebook? If it was a cyber-attack, there are a number of potential threat actors who could be responsible, Dr Guy Bunker, CTO at Clearswift says, including nation-states or a group sponsored by a nation-state. “There has been a lot of media attention on Facebook (and others) over their influence in politics with voting. Taking down the Facebook network shows just who is in control – and in this case, it isn’t Facebook. However, there is no (current) sign that this was a cyber-attack,” he points out.

Christopher Moses, director intelligence and investigations at Blackstone Consultancy says the chance that it suffered a massive DDoS “is remote but not impossible”.

He adds: “Unfortunately, it is far too early to say, so conspiracy theorists can stand down for the moment and I suspect that Facebook’s PR machine is kicking into overdrive to minimise the affect of the outage.”

The case against

It’s not a surprise that speculation is rampant about a security issue, given Facebook’s previous track record. But Tim Mackey, senior technical evangelist at Synopsys suspects the real reason “will be more mundane”.

Among the reasons for the outage, he suggests: “Perhaps a misconfiguration of some software, perhaps a hardware issue, or maybe simply a software update gone wrong are far more likely causes.”

Dr Bunker says the outage it is far more likely to be a mistake by someone  – an administrator for example-  inside the organization. “Someone made a configuration change which ended up having a knock-on effect, which in turn took down the systems.”

Alternatively, he suggests it could have also been a reaction to something seen, such as someone attempting to breach the network – “where the decision was that it was better to take the network down to resolve the issue rather than have a potential breach”.

He explains: “These days networks are sufficiently complex that segregation is so difficult – particularly large cloud applications – that it becomes easier to shut everything down than run the risk of something ‘getting in’ and infecting the entire network.”

The outage will likely end up being an issue with either internal IT infrastructure or a network supplier’s connectivity, says Naaman Hart, cloud services security architect at Digital Guardian. He also questions why a service “as large and public as Facebook” isn’t fault tolerant.  “If every other service in the region were down, fair enough, but this looks like it just impacts Facebook and its child entities.”

To conclude

Of course, it’s impossible to answer the question definitively. But what’s always important in cases such as these is transparency. Facebook has been shady in the past with multiple accusations that it is abusing user data. It’s therefore important that it does update users with the reason for the outage, with specifics, as soon as it has completed its investigation.

“I do hope that Facebook follows radical transparency and details the real cause of this outage,” says Mackey. “Doing so would go a long way in communicating that privacy can continue to be trusted on their platform. It would also provide other organizations with information they can use to avoid a similar situation and improve our collective security online.”


Most organizations understand that DDoS attacks are disruptive and potentially damaging.  But many are also unaware of just how quickly the DDoS landscape has changed over the past two years, and underestimate how significant the risk from the current generation of attacks has become to the operation of their business. Here, I’m going to set the record straight about seven of the biggest misconceptions that I hear about DDoS attacks.

  • There are more important security issues than DDoS that need to be resolved first.

When it comes to cyber-attacks, the media focuses on major hacks, data breaches and ransomware incidents. DDoS attacks are growing rapidly in scale and severity: the number of attacks grew by 71% in Q3 2018 alone, to an average of over 175 attacks per day, while the average attack volume more than doubled according to the Link11 DDoS Report. The number of devastating examples is large. In late 2017, seven of the UK’s biggest banks were forced to reduce operations or shut down entire systems following a DDoS attack, costing hundreds of thousands of pounds according the UK National Crime Agency.  And in 2018, online services from several Dutch banks and numerous other financial and government services in the Netherlands were brought to a standstill in January and May. These attacks were launched using, the world’s largest provider of DDoS-on-demand, which sold attack services for as little as £11.  It costs a criminal almost nothing and requires little to no technical expertise to mount an attack, but it costs a company a great deal to fix the damage they cause.

What’s more, DDoS attacks are often used as a distraction, to divert IT teams’ attention away from attempts to breach corporate networks.  As such, dealing with DDoS attacks should be regarded as a priority, not a secondary consideration.

  • I know that DDoS attacks are common, but I’ve never been affected before

Many companies underestimate the risk of being hit by DDoS because they have never been hit before. The truth is that oftentimes only one attack is already more than enough to cause severe damage in the value chain. This potentially affects any company that is connected to the Internet in any way. Overload attacks not only affect websites, but also all other web services such as e-mail communication, intranet, customer connections, supplier and workflow systems, and more.  Today, customers and partners expect 100% availability. Besides the business interruption due to production loss and recovery costs, reputational damage is a common consequence. Total costs for the incidents can quickly go into the millions. On the other hand, the costs for proactive protection against these kinds of attacks are comparably negligible.

  • There are many providers offering a solution, so DDoS is an easy problem to fix

DDoS is not a new topic, which means that many of the available solutions are outdated. Only a few provider deliver up-to-date, real-time protection that secures against all types of attacks on all network layers. Only a handful of providers can react immediately in an emergency, i.e. if the attack has already taken place, and quickly provide the right protection to organizations.

  • Reacting to an attack within a few minutes is sufficient

Ideally, the use of intelligent defence systems and always-on protection should prevent a failure in the first place. However, if a new attack pattern appears, the first 30 seconds are crucial. Even if an attack is mitigated after just one minute, subsequent IP connections will already be interrupted (for example, collapsing an IPSec tunnel) and it may take several hours until availability is restored. Although this prevents follow-up actions that can lead to infiltration and data theft, the economic costs of lost revenue, loss of productivity and damage to reputation can still be immense. Therefore, it is vital for organizations to implement a solution that guarantees mitigation in a matter of seconds.

  • We have our own 24/7 Security Operations Center (SOC), so we are immune

In the flood of security alerts in the SOC it is likely that some events are overlooked or not brought into context with other activities. Furthermore, the sheer amount of necessary analyses and measures is not feasible with people. Only a fully automated process that works based on intelligent and globally networked systems, and which precludes human errors in the process chain can ensure comprehensive security. Industrial-scale attacks can only be countered with industrial-scale defences.

  • I am already in the cloud and am automatically protected by my cloud provider

The major cloud providers offer some basic DDoS protections. But this is not aimed at preventing targeted, mega-scale attacks. In late 2016, the massive Dyn DDoS attack caused global disruption to public cloud services.  In addition, cloud applications are easily attacked by other applications from within the same cloud. Therefore, when running business-critical applications in the cloud, it is important to consider deploying additional DDoS protections to those applications.

  • I have invested in hardware that offers protection

Although these systems ensure high infrastructure performance, they only provide static protection against DDoS attacks. This means that the DDoS protection there can only be as good as the current version of the filtering software – which is already outdated as soon as it is released. This approach might have worked a couple of years ago. Nowadays, however, with ever more complex and powerful attacks that combine several vectors and target multiple layers at the same time, this kind of protection is unsufficient. Effective protection is only possible via intelligent and networked systems which use advanced machine-learning techniques to analyse traffic and build a profile of legitimate traffic.

In conclusion, DDoS protection needs to be seen as an essential part of the IT security infrastructure. Considering effective solutions in the event of an attack is too late. Through educating about misconceptions in this context and implementing the measures listed in this text, companies can position themselves sustainably in terms of their business continuity strategy.


Cybersecurity is often seen as one of those big problems that only large entities like banks, tech companies, and governments have to worry about. In reality, a lot more people should be concerned with cybersecurity and not just big corporations. The latter may be indeed responsible for more data. Still, it is the smaller entities, such as companies with less than 1000 employees, that are at the greatest risk.

TechJury compiled a list of cyber security statistics to help visualize what is happening in the field as well as what to expect in 2019.

Data Breaches
Often it is data breaches that steal the headlines. In most cases, it takes companies about 6 months to detect a data breach.(Source: ZD Net)

If a robbery took place and the perpetrators got away, how much of a head start do they have if they want to cover their tracks? A day? An hour? Cybercriminals often get a neat 6-month head start, which makes tracking them down that much harder.

There were 8,854 recorded breaches between January 1, 2005 and April 18, 2018(Source: Identity Theft Resource Center). These breaches account for millions of records, with the price per record ranging anywhere from $120-$600. If we average these out at $360 per record, then the total price of these breaches is in the billions. People talk about the cost of cybersecurity, but they seldom think about the cost of not having it.
In 2017, 61% of data breach victims were companies with less than 1000 employees (Source: Verizon).

While this number may be alarming, this has more to do with the fact that the larger-scale companies are more likely to have robust security than smaller companies. Many of these smaller companies simply do not have the means for a proper defence to combat advanced cyber threats, which contributes heavily to these cybersecurity statistics.

Cyber attacks vary in sort and severity, but they can be absolutely devastating, especially for small business owners. According to Small Business Trends 43% of cyber attacks are targeted at small businesses.

It makes a lot of sense that the little guy is targeted so often. While the benefit of such an attack for the hacker is relatively small, it is much easier to pull it off. Many small businesses have minimal security infrastructure, making them easy prey for data predators. Considering the number of cyber attacks per day, quite a few of those get targeted. Around 50% of the risk companies face come by way of having multiple security vendors (Source: Cisco).

One may think when it comes to security, the more the merrier. However, having multiple security vendors is a great way to complicate your security infrastructure in a way that is likely to create greater vulnerabilities. It is best to stick with one security vendor and comply with all security updates and recommendations the vendor presents, according to various hacking stats.

Internet of things (IoT) attacks were up by 600% in 2017 (Source: Symantec). Nearly everyone has a smartphone now, making hackers and cybercriminals have a greater choice of targets for attack. A portion of the rise could be attributed to the increased number of IoT devices, but the greater issue is that security doesn’t keep up the pace of the growing threats. 31% of organizations have experienced cyber attacks on operational infrastructure (Source: Cisco).

Perhaps the more concerning side to cybersecurity statistics, in general, is the number of incidents that have gone unreported. Speculation would lead one to believe that the figure of 31% is significantly lower than reality. Whatever the case, this is an important figure to be aware of as it shows at the very least that hackers are proficient in finding the correct target.

Distributed Denial of Service (DDoS) attacks account for 5% of monthly traffic related to gaming (Source: Cox BLUE). This attack attempts to disrupt regular traffic to the desired web endpoint. Video gaming is a popular place for these attacks to occur because there are predictable and specific endpoints for most devices. Just 38% of global organizations claim that they are equipped and able to handle a complex cyber attack(Source: IBM).

Perhaps one of the most alarming cybersecurity statistics on this list is the understanding that 62% of global organizations cannot claim that they are equipped to handle a cyber attack. This void will lead the charge for improved cybersecurity in the future.

Malware is by far the most common type of malicious internet activity. Over 24,000 malicious mobile apps are blocked from the various app stores each day (Source: Symantec).

Apple has generally been on top of its app store, not allowing malicious or harmful software onto iOS devices. Android has had a longer journey there because of the freedom afforded to developers. Nevertheless, it improved radically over the past several years. Such malicious apps can still be accessed, but most devices do require user approval before installing any unverified third-party applications. Cyber attack statistics show this to be a key reason why harmful software for mobile devices is not such an issue anymore.

$2.4 million is the average cost of a malware attack in 2017 (Source: Accenture). One of the most prevalent attacks comes in the form of malware. Malware can cripple entire systems or even render them useless. A successful malware attack resulting in a cybersecurity breach can crumble an entire company as well as ruin its public reputation.

There was an 80% increase in malware attacks on Mac computers in 2017 (Source: Cisco). Mac computers have always been renowned for their threat security. As far as out of the box security goes, Mac has been the gold standard for quite some time, but things seem to be changing. Malware statistics point to an astronomical increase that raises a few eyebrows. Is it possible that cybercriminals have found new vulnerabilities?

13. 75% of the healthcare industry has been infected with malware at some point in time (Source: CISION: PR Newswire). The healthcare industry accounts for the most records lost. This has to do with many factors including outdated systems, lack of training, and substandard protocols. In short, healthcare providers are an easy target with a lot to offer to potential criminals. It is no wonder why this industry is so often a target of large scale cyber attacks.

Around 60% of malicious web domains are associated with spam campaigns.(Source: Cisco) For some reason I find it concerning when a company tells me to check my spam folder. The spam folder is where many people get taken advantage of. Spam campaigns attempt to send the user to insecure or malicious domains in an attempt to mine data.

15. 38% of malicious files came in formats used by the Microsoft Office suite of products (Source: Cisco).
Microsoft Office is one of the most familiar sights in a modern working environment. Cybercriminals use these formats for their malicious files in attempts to lure unsuspecting victims into thinking it is just a simple spreadsheet or report. This is valid not only for recent cyber attacks, as executable files masked as harmless, but well-known files are also a popular digital bait for years now.

Security specialist is one of the most promising career choices in the IT sector. There are over 300,000 unfilled cybersecurity jobs in the United States, with the demand rising each year (Source: Cybint Solutions). If you are a college freshman deciding on a major, then cybersecurity might be an attractive option. Not only are there plenty of openings, but the demand is expected to rise at an unprecedented rate. There are plenty of jobs available in tech nowadays, but perhaps none are as vital than as security. The next few cybersecurity stats show just how pressing this need may be.

By 2021, the number of unfilled cybersecurity jobs is expected to balloon to 3.5 million (Source:The Hill).
The expected rise in jobs is still outpaced by the expected need for them. Chances are, companies will not be able to get enough cybersecurity experts. There’s simply not going to be enough people with this type of competency to fill all available spots. Let’s just stop and consider what it means that so many companies will not be able to get proper protection from cybercrimes. As cybercrime statistics show, this is one of the biggest problems that companies have to solve.

Cybersecurity job postings are up 74% over the past five years(Source: Cybint Solutions). This though is the (only) silver lining to these attacks. Many young people will be able to find gainful work in the cyber security sector. The unfortunate reality is much of this will be in response to attacks that will take place, and that there will be many more data breaches affecting millions of people within the next few years. Data breach statistics don’t suggest that the need for experts in the field will be lessened any time soon.

Cybersecurity expenditures are expected to rise above $1 trillion by 2025 (Source: Cybersecurity Ventures). Once again, just like the jobs figures, this points to a very secure future for those pursuing a career in cybersecurity. The question remains if these expected expenditures will be enough to prevent data breaches or at least bring them down significantly.

The annual cost of cybercrime damages is expected to hit $6 trillion by 2021(Source: CyberSecurity Ventures). The rate of these crimes is only expected to increase. Criminals are finding increasingly clever and diabolical ways to get their hands on data. This, coupled with the projections for further data breaches, spells an unwelcome story going forward. Some estimates have the number as high as $10 trillion. In this context, whatever the cost of cybersecurity may be it seems like a worthy investment.

65% of companies have over 500 employees that have never changed their password(Source: Varonis). I believe most people are guilty of not changing their password often enough. This is just making it easy for would-be cybercriminals to have easy access to sensitive information through compromised passwords. An easy solution to these problems is an automated system that requires employees to regularly change passwords. Many such programs are free and easily implemented by IT professionals.

Ransomware, especially with the advent of cryptocurrencies, is an increasingly popular way for hackers to make money. Ransomware attacks are growing more than 350% annually (Source: Cisco). A ransomware attack is designed to hijack the targets’ systems and hold them hostage in exchange for certain demands. These attacks are particularly effective and growing in number as the data from Cisco shows. The increase in cyber attacks is bound to continue in the foreseeable future.

The damage costs of ransomware will rise to $11.5 billion in 2019(Source: Cybersecurity Ventures). Once again, ransomware holds data and entire systems hostage until demands are met. Independent risk evaluators postulate that compliance with the perpetrator leads to greater security vulnerabilities and greater total loss.

A business falls victim to a ransomware attack every 14 seconds(Source: Cybersecurity Ventures). Something that differentiates cybercrime from any other kind of crime is the automation that can be deployed by perpetrators. Automation allows for cyber attacks to be deployed simultaneously and relentlessly. Failed attacks can be tried again almost infinitely. The number of cyber attacks each day keeps going up. Automation may also be the key to protection from these types of attacks, but for now it is not yet clear how to utilize this technology. As the stakes get higher and cybercriminals become more aggressive, the incentive to develop a solution will rise as well.

Of all files, 21% remain completely unprotected(Source: Varonis). This isn’t as startling of a revelation when compared to the other cybersecurity stats, but it is an alarming number of unprotected files. Of course, just because a file isn’t protected, doesn’t mean it’s accessible.

Reported system vulnerabilities went up by 16% in 2017 (Source: Varonis). The full reports for 2018 have not become available at the time of this writing, but early indications have this figure even higher over the past year. As tech evolves, most do not upgrade immediately. Older systems have different security vulnerabilities. If these are not addressed in a timely manner the systems are exposed even more with every passing day.

95% of data breaches have cause attributed to human error (Source: Cybint Solutions). With a large data breach, all eyes and fingers begin pointing to the IT department. The fact of the matter is these data breaches can very rarely be attributed to the folks over in IT. Information technology security breaches are few and far between. User error or actions that fall outside of IT recommended behavior will always cause more problems than just following the guidelines set by the IT department.

Phishing mail, just like the popular hobby with a similar name, is extremely common and simple. 30% of U.S. users open phishing emails(Source: Verizon). Unsurprisingly, phishing attacks make up a large amount of cyber security incidents. It is quite likely that most of us have opened phishing emails at some point in time. Kaspersky’s anti-phishing software has caught hundreds of millions of them every year.

12% of those who opened phishing emails later opened the infected links or attachments (Source: Verizon).
As we await the arrival of 2019 cyber security statistics, the report from Verizon shows that phishing attacks had a moderately high success rate. With more and more people understanding the dangers that lurk with these attacks, the hope is that this number will continue to fall in the coming years.

In the last year, 76% of businesses reported that they had been a victim of a phishing attack(Source: Wombat). Phishing attacks are the most common cyber security attack. This type of attacks are a big part of why there are so many compromised passwords. If you check your spam folder in your email, it is more than likely that you will find several of them. If a phishing emails makes it past filters into the inbox, to the untrained eye they will seem like legitimate messages that can be trusted.


When someone in your organization starts using internet-connected devices without IT’s knowledge, that’s shadow IoT. Here’s what you need to know about its growing risk.

Shadow IoT definition

Shadow IoT refers to internet of things (IoT) devices or sensors in active use within an organization without IT’s knowledge. The best example is from before the days of bring your own device (BYOD) policies when employees used personal smartphones or other mobile devices for work purposes. “Shadow IoT is an extension of shadow IT, but on a whole new scale,” says Mike Raggo, CSO at 802 Secure. “It stems not only from the growing number of devices per employee but also the types of devices, functionalities and purposes.”

Employees have been connecting personal tablets and mobile devices to the company network for years. Today, employees are increasingly using smart speakers, wireless thumb drives and other IoT devices at work as well. Some departments install smart TVs in conference rooms or are using IoT-enabled appliances in office kitchens, such as smart microwaves and coffee machines.

In addition, building facilities are often upgraded with industrial IoT (IIoT) sensors, such as heating ventilation and air conditioning (HVAC) systems controlled by Wi-Fi-enabled thermostats. Increasingly, drink machines located on company premises connect via Wi-Fi to the internet to accept, say, Apple Pay payments. When these sensors connect to an organization’s network without IT’s knowledge, they become shadow IoT.

How prevalent is shadow IoT?

Gartner predicts that 20.4 billion IoT devices will be in use globally by 2020, up from 8.4 billion in 2017. Shadow IoT has become widely prevalent as a result. In 2017, 100 percent of organizations surveyed reported ‘rogue’ consumer IoT devices on the enterprise network, and 90 percent reported discovering previously undetected IoT or IIoT wireless networks separate from the enterprise infrastructure, according to a 2018 report from 802 Secure.

One-third of companies in the U.S., U.K. and Germany have more than 1,000 shadow IoT devices connected to their network on a typical day, according to a 2018 Infloblox report on shadow devices. Infoblox’s research found that the most common IoT devices on enterprise networks are:

  • Fitness trackers such as Fitbits, 49 percent;
  • Digital assistants such as Amazon Alexa and Google Home, 47 percent
  • Smart TVs, 46 percent
  • Smart kitchen devices such as connected microwaves, 33 percent
  • Gaming consoles such as Xboxes or PlayStations, 30 percent.
shadow iot infographic v3.0

What are shadow IoT’s risks?

IoT devices are often built without inherent, enterprise-grade security controls, are frequently set up using default IDs and passwords that criminals can easily find via internet searches, and are sometimes added to an organization’s main Wi-Fi networks without IT’s knowledge. Consequently, the IoT sensors aren’t always visible on an organization’s network. IT can’t control or secure devices they can’t see, making smart connected devices an easy target for hackers and cybercriminals. The result: IoT attacks grew by 600 percent in 2018 compared to 2017, according to Symantec.

Vulnerable connected devices are easily discoverable online via search engines for internet-connected devices such as Shodan, Inflobox’s report points out. “Even when searching simple terms, Shodan provides details of identifiable devices, including the banner information, HTTP, SSH, FTP and SNMP services. As identifying devices is the first step in accessing devices, this provides even lower-level criminals with an easy means of identifying a vast number of devices on enterprise networks that can then be targeted for vulnerabilities.”

Why aren’t most shadow IoT devices secure?

When PCs were first released decades ago, their operating systems weren’t built with inherent security, Raggo observes. As a result, securing PCs against viruses and malware remains an ongoing struggle.

In contrast, the iOS and Android mobile operating systems were designed with integrated security, such as app sandboxing. While mobile devices aren’t bullet-proof, they’re typically more secure than desktops and laptops.

With today’s IoT and IIoT devices, “It’s like manufacturers have forgotten everything we’ve learned about security from mobile operating systems,” Raggo says. “There are so many IoT manufacturers, and the supply chain for building the devices is scattered all over the world, leading to a highly fragmented market.”

Because IoT devices tend to be focused on just one or two tasks, they often lack security features beyond basic protocols such as WPA2 Wi-Fi, which has its vulnerabilities. The result: Billions of unsecured IoT devices are in use globally on enterprise networks without IT’s knowledge or involvement.

“I bought 10 or 15 IoT devices a few years ago to check out their security,” says Chester Wisniewski, principal research scientist at Sophos. “It was shocking how fast I could find their vulnerabilities, which means anyone could hack them. Some devices had no process for me to report vulnerabilities.”

Have criminal hackers successfully targeted shadow IoT devices?

Yes. Probably the most famous example to date is the 2016 Mirai botnet attack, in which unsecured IoT devices such as Internet Protocol (IP) cameras and home network routers were hacked to build a massive botnet army. The army executed hugely disruptive distributed denial of service (DDoS) attacks, such as one that left much of the U.S. east coast internet inaccessible. The Mirai source code was also shared on the internet, for criminal hackers to use as building blocks for future botnet armies.

Other exploits are available that enable cybercriminals to take control of IoT devices, according to the Infoblox report. “In 2017, for example, WikiLeaks published the details of a CIA tool, dubbed Weeping Angel, that explains how an agent can turn a Samsung smart TV into a live microphone. Consumer Reports also found flaws in popular smart TVs that could be used to steal data as well as to manipulate the televisions to play offensive videos and install unwanted apps.”

Along with amassing botnet armies and conducting DDoS attacks, cybercriminals can also exploit unsecured IoT devices for data exfiltration and ransomware attacks, according to Infoblox.

In one of the oddest IoT attacks thus far, criminals hacked into a smart thermometer inside a fish tank in a casino lobby to access its network. Once in the network, the attackers were able to steal the casino’s high-roller database.

The future potential of IoT-enabled cyberattacks is enough to give CSOs and other IT security professionals concern. “Consider the damage to vital equipment that could occur if someone connected into an unsecured Wi-Fi thermostat and changed the data center temperature to 95 degrees,” Raggo says. In 2012, for instance, cybercriminals hacked into the thermostats at a state government facility and a manufacturing plant and changed the temperatures inside the buildings. The thermostats were discovered via Shodan, a search engine devoted to internet-connected devices.

To date, the impact of IoT device exploits hasn’t been hugely negative for any particular enterprise, says Wisniewski, in terms of exploiting sensitive or private data. “But when a hacker figures out how to make a big profit compromising IoT devices, like using a brand of smart TVs for conference room spying, that’s when the shadow IoT security risk problem will get everyone’s attention.”

3 ways to mitigate shadow IoT security risks?

  1. Make it easy for users to officially add IoT devices. “The reason you have shadow IT and shadow IoT is often because the IT department is known for saying ‘no’ to requests to use devices like smart TVs,” says Wisniewski. Instead of outright banning IoT devices, fast-tracking their approval whenever possible and feasible—within, say, 30 minutes after the request is made—can help reduce the presence of shadow IoT.

    “Publish and circulate your approval process,” Wisniewski adds. “Get users to fill out a brief form and let them know how quickly someone will get back to them. Make the process as flexible and as easy for the requester as possible, so they don’t try to hide something they want to use.”

  2. Proactively look for shadow IoT devices. “Organizations need to look beyond their own network to discover shadow IoT, because much of it doesn’t live on the corporate network,” Raggo says. “More than 80 percent of IoT is wireless-enabled. Therefore, wireless monitoring for shadow IoT devices and networks can allow visibility and asset management of these other devices and networks.”

    Traditional security products list devices by a media access control (MAC) address or a vendor’s organizationally unique identifier (OUI), yet they are largely unhelpful in an environment with a plethora of different types of devices, Raggo adds. “IT really wants to know ‘what is that device?’ so they can determine if it’s a rogue or permitted device. In today’s world of deep-packet inspection and machine learning, mature security products should provide human-friendly categorizations of discovered assets to ease the process of asset management and security.”

  3. Isolate IoT. Ideally, new IoT and IIoT devices should connect to the internet via a separate Wi-Fi network dedicated to such devices that IT controls, says Wisniewski. The network should be configured to enable IoT devices to transmit information and to block them from receiving incoming calls. “With the majority of IoT devices, nothing legitimate is ever transmitted to them,” he says.

Anything shadowy is a problem

“Shadow anything is a problem, whether it’s an IoT device or any other addressable, unmanaged item,” says Wisniewski. “The key is controlling access to the network from only authorized devices, keeping an accurate inventory of authorized devices, and having clear policies in place to ensure employees know they aren’t allowed to ‘bring their own’ devices and that HR sanctions will be enforced if they do.”


“Altogether, since February 5, there have been 17 separate instances where the volume of inbound internet traffic has exceeded the carrying capacity of our [internet service provider] for 5 minutes or longer,” said Martin Manjak, UAlbany’s chief information security officer.

Information technology systems at University of Albany have been targeted with cyber-attacks. In the space of two weeks, UA systems experienced a total of 17 distributed denial-of-service (DDoS) attacks, with threats as recent as Feb. 19.

“Altogether, since February 5, there have been 17 separate instances where the volume of inbound internet traffic has exceeded the carrying capacity of our [internet service provider] for 5 minutes or longer,” said Martin Manjak, UAlbany’s chief information security officer.

DDoS attacks flood a network with malicious requests, disrupting the normal flow of data between servers and legitimate users attempting to connect.

These attacks have impacted the availability and functionality of several UA IT systems, particularly Blackboard. According to Manjak, neither the integrity nor confidentiality of university information has been compromised.

Manjak said he believes the attacks may be related. However, no one has claimed responsibility and no motivate has been identified.

“All we know is that the resource being targeted is Blackboard,” Manjak said.

Computers on UA’s network, like those in the library, were not affected by the DDoS attack. However, students and faculty using their own devices were unable to access Blackboard.

“We’re able to maintain access to electronic resources from on-campus through a combination of firewall and filtering rules,” Manjak said, “but access from off-campus was affected because the attacker(s) filled our internet pipe.”

Members of the UA community received two information security alert emails from Manjak about the attacks, one on Feb. 5 and the other on Feb. 18.

“Communication is sent to the University community when we identify an active threat that has the potential to impact the entire campus,” Manjak said.