Analytics and Cybersecurity
By Dominic Alvieri
May 23rd, 2023
This KPI Isn't Pointing in the Right Direction
Fortune 500 companies are expanding their attack surfaces in a new data analytics push.
Cybersecurity takes a back seat for data analytics in a manufacturing executives dream which is turning out to be a security nightmare. It's called the connected shop floor and in this current version isn't going to end well. Corporate executives are unintentionally and unnecessarily exposing themselves to unnecessary risks.
"This is largely driven by connecting machines using IoT and enabling Ai to digitize the results"
Apple iPads and Microsoft Bi along with several outsourced apps and technologies are involved.
100's of new endpoints and unrestricted devices
All employees who have access to these new IoT devices running the backbone of this technological shop floor had open browser access and email capabilities. Personal emails as well as corporate and a host of new apps and software.
Oops, an employee just clicked on one of their personal emails and got phished.
Before drilling deeper into the technologies and possible exploits available for a starter there are hundreds of new IoT devices with an unrestricted browser able to view porn, YouTube or TikTok videos. A small time phisherman with a low grade infostealer may unknowingly get access to a Fortune 500 company employee and not even know it.
The good news
Executives are starting to learn about cybersecurity. The bad news? They are slow and stubborn.
Here is a no brainer-restricting employee browser access.
App Avalanche
Once again executives are slow in embracing cybersecurity. They need the numbers to crunch to squeeze every last ounce of shareholder value that you can. Security often takes a back seat.
"Cybersecurity does not add revenue" one executive told me on the condition of anonymity.
Exploitable
Querying one of the apps being used in one version of the connected floor returned an interesting response resulting in an error in my SQL syntax. Input sanitation issues are red flags indicating injection flaw exploits.
Obviously I am unable to mention the firm or app until the issue is resolved.
There are other exploitable alleys in this project.
The Deeper I Drill...
I have not received any responses to my questions regarding the above mentioned security issues along with an uncovered topic.
I am offensive in nature even in a defensive posture.
...
There are more holes in the floor.
No comments:
Post a Comment