Move over, compromised employee laptops, hacked personal phones, and company servers. A survey from Forrester found that the No. 1 target in external attacks was Internet-of-Things, or IoT, devices.

The top spot for IoT demonstrates how the range of tough-to-track enterprise devices—from printers to projectors to smart refrigerators—are attractive to hackers. The internet-connected gadgets hold valuable data and can form a command-and-control point to reach other devices in a network.

“People think, ‘You can’t do a full-blown attack off of this device,’” said Paddy Harrington, a senior analyst at Forrester. “Well, people prove them wrong.”

What’s IoT to ya? An Internet-of-Things device can be defined as a nonstandard computing device that connects wirelessly to a network and can transmit data. (Looking at you, smart toilet.) For an enterprise, that could include a printer, a smart refrigerator, or a camera.

Those unassuming devices pose unique security risks as entry and pivot points, according to Microsoft’s 2022 Digital Defense Report. “Millions of IoT devices are unpatched or exposed,” the study said.

Hackers recently have looked for—and often found—vulnerabilities in IoT devices at both home and the office, including garage doors, smart intercoms, and casino fish tanks.

Forrester’s found that 33% of 490 global security decision-makers surveyed said that IoT devices had been targeted in an external attack, ranking just above employee- or corporate-owned mobile devices or computers. (A study from the previous year observed IoT to be a leading, but not the No. 1, vector.)

The open ports, often used for remote management of devices, can be found by hackers and their scanning tools, and can then become “pivot points,” as Microsoft calls them, which allow unauthorized users to access those ports.

Read more here.—BH

Do you work in IT or have information about your IT department you want to share? Email [email protected]

Is it just us, or does the list of security and privacy frameworks just keep growing? SOC 2, ISO 27001, HIPAA, PCI…you get the picture.

If it feels like you’re racing the clock to have compliance locked in for requesting prospects, turn to the trusted compliance provider that can get you compliant in weeks: Secureframe. Yep, weeks, not months.

As a highly comprehensive security and compliance automation platform with over 100 integrations, built-in security training, and vendor and risk management, Secureframe continuously detects and remediates misconfigurations across your tech stack, all while giving you complete viz.

With unmatched expert guidance from former auditors and industry pros every step of the way, Secureframe’s got ya covered—and compliant.

See how it works with a demo.

The Cyberspace Administration of China (CAC) has implemented a nationwide ban on the purchase of Micron products by “critical national infrastructure operators” after concluding the US memory chipmaker poses a supply chain security risk.

In a statement posted to its website, translated from Chinese, the CAC wrote that Micron had failed a Network Security Review Office review of its products. According to the translated statement, Micron has “relatively serious potential network security issues, which pose a major security risk” to China’s “key information infrastructure supply chain” and “national security.”

The announcement didn’t go into further detail as to the exact security risk of Micron silicone. But as the Register noted, whatever the CAC claims to have found is apparently not serious enough to warrant a “rip and replace operation” in which Chinese agencies and firms would be required to yank all Micron memory, storage devices, and other products from operational gear. The Register further noted that memory is not exactly a bespoke product; it’s manufactured in large quantities by Chinese companies, so the procurement ban may result in minimal disruption to China’s tech sector.

The story for Micron may be different, however: Paul Triolo, consultancy Albright Stonebridge’s SVP for China and technology policy lead, told Ars Technica the firm could take a big hit: “This could be really bad for Micron. It depends how broad China’s definition of critical information infrastructure is, but this could include the financial sector, transportation, energy and data centers.”

CNN reported Micron has estimated possible ramifications could be in the “high single-digit” league in terms of percentage of annual revenue.

Read more here.—TM

Do you work in IT or have information about your IT department you want to share? Email [email protected] Want to go encrypted? Ask Tom for his Signal.

The Department of Defense presented a new cyber strategy that takes the lessons learned from the Ukraine war and applies them to a changing threat landscape.

A public May 26 fact sheet detailed some of the changes; the strategy itself remains classified. Of primary importance, the department said, is that the strategy continues to prioritize stopping threat actors before they become an immediate danger to US interests. DOD will also continue to work with allies and to assert cyber dominance.

Pentagon officials transmitted the classified strategy to Congress, calling it “subordinate to the 2022 National Security Strategy and the 2022 National Defense Strategy.” The DOD strategy is meant to complement the 2023 National Cybersecurity Strategy released by the White House in March.

School days. Lessons learned from the Ukraine war are expected to help the effort, the Pentagon said in the fact sheet.

“Since 2018, the Department has conducted a number of significant cyberspace operations through its policy of defending forward, actively disrupting malicious cyber activity before it can affect the US Homeland,” DOD said. “This strategy is further informed by Russia’s 2022 invasion of Ukraine, which has demonstrated how cyber capabilities may be used in large-scale conventional conflict.”

US Cyber Command commander Gen. Paul Nakasone told reporters in May that the strategy wouldn’t change much from the 2018 guidance, a key directive of which was for Cyber Command to “defend forward” against threats.

“There was a huge inflection point in 2018 with the Defend Forward,” Nakasone said. “I don’t see, necessarily, a huge change in the strategy coming out.”

DOD said it will release an unclassified summary of the strategy in the coming months.—EH

Today’s top IT reads.

Stat: $50,000. That’s the median amount stolen from business email compromise attacks, according to a 2023 data breach incident report—a study from Nov. 1, 2021, to Oct. 31, 2022. (Verizon/Computer Weekly)

Quote: “…you can’t just go up there and reboot them.”—James Pavur, lead cybersecurity software engineer at Istari, referring to satellites and efforts to test their security from Earth (the Register)

Read: Why India’s hacking-for-hire business is prospering. (The New Yorker)

Founders frameworks: Infosec frameworks are often described in vague, verbose language. That’s why Thoropass created a guide for founders to understand which framework best suits their biz. Get your guide.*

^{*This is sponsored advertising content.}