Nation State hacked JumpCloud || Labels for IoT security
CyberInsights #103 - JumpCloud hack || Strengthening IOT security with labels
“Extremely Targeted attack” on JumpCloud
A cloud service provider supporting more than 200k organisations claims to be targeted by nation-state
As per this ArsTechnica report, JumpCloud, a cloud services provider with more than 5000 paying customers has been the target of an attack by a nation state. JumpCloud’s CISO said:
These are sophisticated and persistent adversaries with advanced capabilities.
Nation state attacks generally target infrastructure that is ‘critical’ for running a country. Critical infrastructure includes oil and gas pipelines, telecom, electricity companies, capital markets, etc. Nation states targeting IT services companies is not often the case. This could be changing. Large IT services companies provide services to government organisations and can serve as an attack vector for data as well as a part into more crucial infrastructure.
In the case of JumpCloud, they say there was ‘Data Injection into the command framework’. Does this point to a simple miss in the data validation? This does not look like very ‘sophisticated and persistent adversaries’. We just have to wait for JumpCloud to release more data about the attack vector.
Take Action:
If you are JumpCloud user, you do have some action items. Read here for more details.
If you are not, consider what business you are in. If you are a part of critical infrastructure for your nation, conduct a detailed risk assessment before you decide on going to cloud vendors like JumpCloud.
If you are a service provider, make sure you have a profile of your clients and the risks associated with them handy. It’s not enough to have a TIER 5 data centre if your clients are nation states and your adversaries could be other nation states. Implement security controls based on your client profile, not just the compliance requirements of some standard.
Adding security labels to IoT devices
It’s a simple concept. It’s practical and it should be mandated by every nation.
The concept is very simple. Label things and people will read them before buying. They will make better choices. Label the calories on a pack of junk food and people buy less of it.
Label an IoT device for ‘security rating’ and people will be able to choose the right option. An energy star compliance rating helps a consumer choose a more efficient electrical device. Can we come up with a similar rating for our home router?
The US government has unveiled its consumer technology labelling program to help consumers choose a more secure device.
The US Cyber Trust Mark is a security labelling program for smart devices.
It’s a great initiative.
Take Action:
The initiate is a step in the right direction. Connect with your local governments outreach program and contribute in the initiative. While appearing simple, the labelling is more complex. It’s not as easy as counting calories or energy consumption. The metrics are not very easy to define. Most of the readers of CyberInsights are from the US and they should contribute to this effort. Read the official White House release here.
For those readers who are not from the US, see how you can socialise this with your governments. Some readers are in a position to influence policymakers for setting this in place. If you are, please take this up with your governments and be a part of the brainstorming circles. Indian readers can reach out to CERT-In or the MeITY for this.