If you think that everything is connected to the internet, you wouldn’t be too far off on your assumption. The Internet of Things (IoT), which stands for any device connected to the internet or machine to machine connectivity, is commonplace in almost every type of business. By 2020, it’s expected that there will be 24 billion IoT devices, with every person owning and using at least four connected devices. Many of those devices will be connected to your network and accessing your data. Although much of the IoT appears innocent, every device creates a potential risk for your business.
Security Not Intuitive
IoT devices are an outlier when it comes to cybersecurity. We know how to approach security on our computers and networks, and we’re getting better at addressing cybersecurity on mobile devices. But IoT has a lot of cybersecurity strikes against it before the devices are even plugged into the system.
First of all, they are not built with security in mind, as most devices that are now considered IoT were never designed to be connected to the internet. Instead, these are products that manufacturers want on the market quickly, so the developer’s focus is coming up with a design that works first, and figure they will worry about security later. The problem is, by the time anyone gets around to thinking about security, there has already been an incident.
Secondly, no one is doing a very good job at maintaining security on these devices. The firmware used in IoT is not regularly updated. Too many devices use outdated software and unsupported operating systems with vulnerabilities that open the door for zero-day attacks. Default passwords on devices aren’t being changed and strengthened. Ignoring simple security practices makes it easier for hackers to get through.
The third strike in IoT cybersecurity is the sheer volume of endpoints that are now attached to your network. Each endpoint is a potential entry point for attackers. The more devices connected, the more chances for hackers to find their way to your data.
“The very nature of IoT devices can make them difficult to secure with traditional technical means,” said Nathan Wenzler, chief security strategist at AsTech, a San Francisco-based security consulting company. “Often, these are consumer-grade devices which lack proper encryption of their network traffic, have no or very weak credentials to access, or do not have fundamental security controls built into them, as they are meant to be lightweight devices serving a singular purpose.”
Malware Designed to Target IoT
While international adversaries introduce bedlam to core internet infrastructure, attackers will hone their abilities to exploit the increasing numbers of physical assets connected through the IoT, explained Steve Durbin, managing director of the Information Security Forum, a London-based authority on cyber, information security, and risk management. “Ransomware,” he said, “already one of the most prevalent ways to exploit the value that organizations place on digital information, will evolve to target connected smart physical devices integral to daily life and business functionality.”
Holding these assets for ransom threatens the security of customers and employees, interrupting operations and causing heavy financial losses.
We’re already beginning to see the first threats of ransomware specifically targeting IoT. Last fall the Mirai botnet used IoT devices, primarily cameras, to overwhelm Dyn, which handles DNS for many organizations, with DDoS attacks, making a large portion of the internet inaccessible. With the lack of security controls on IoT, the devices and everything connected to it will become a prime target for all types of malware attacks.
Protect Your Devices
To protect against the scale and scope of these threats, organizations will be forced to rethink their defensive model, particularly its business continuity and disaster recovery plans, according to Durbin. Revised plans should cover threats to physical safety as well as periods of operational downtime caused by attacks on infrastructure, devices, or people. Devices should be protected by a firewall, and IT may want to consider setting up a separate network specifically for IoT. In any case, every device that is connecting to the network should be accounted for – not an easy task with so many devices available.
More complicated strategies might include preventing all access to and from the IoT devices, save for specific administrative hosts which manage the devices. But this can be an expensive and complicated solution, which still leaves the possibility for compromise should an attacker manage to compromise the administrative hosts or spoof being that host.
To survive in the hyper-connected world we live in, organizations depend on instant and uninterrupted connectivity, smart physical devices and machines, and trustworthy people. Using tools such as the Threat Sketch Risk Assessment, you can see how prepared you are to secure every device that has access to your data.
About the author: Sue Poremba. Sue is a Central PA-based writer who has covered cyber security since 2008.