How to Avoid an IoT Doomsday
By Ken Galvin
IoT is everywhere. From the moment Alexa wakes us up to our morning commutes, consumers are more adjusted to the IoT sector than they may know. In fact, according to data from IoT Analytics, there are about 7 billion internet-connected devices and that number is only expected to grow in the next few years, to about 21.5 billion by 2025.
However, as the world continues to rush head-first into taking all manner of devices and systems online, serious security implications have emerged. Each new connected device—whether it’s an internet-connected garage door opener, a doorbell, a thermostat or even a box of connected light bulbs—has the potential to expose very real vulnerabilities. Other industrial IoT devices (think smart city infrastructure, remote health monitoring and disease detection, crop monitoring, accident prediction and detection, traffic monitoring … the list goes on) can have even more dire consequences. The slightest misconfiguration or poor security practices can serve as a point of entry for sophisticated cyberattacks, security breaches and data theft. And, since IoT is a network of connected devices, a single compromised device holds the potential to take down an entire network, crippling an organization.
This situation is due in part to the lack of defenses in aging firmware or architectures, as well as a general lack of infosec housekeeping. Among today’s organizations, many IT departments are not even aware of many of the devices on their networks, making the task of patching security issues nearly impossible. According to a recent report by the Ponemon Institute, in 2017 only 15% of survey participants had suffered an IoT-related data breach. That number jumped to 26% in this year’s report, which surveyed 625 risk management and governance experts. When asked whether it is likely that their organizations will experience a cyberattack such as a denial-of-service (DoS) attack caused by unsecured IoT devices or applications in the next 24 months, 87% of respondents said yes, according to the report.
Unfortunately, when we look at existing internet standards, it’s clear that most did not have the vision to include IoT, as it is an emerging concept and use cases and devices continue to evolve. Add to this, many of today’s IoT devices were deployed using proprietary protocols, which makes communication between multiple IoT devices very difficult and standardization more complicated. With tens of thousands of companies vying for space across very diverse industries, arriving at standardization will take time.
Until that time, there are steps IT teams can take today to address their security needs. Here’s what IT teams need to know about managing IoT devices and minimizing endpoint vulnerabilities:
1. Every device is an attack vector for ransomware attacks: In fact, IoT may even be the preferred route of attack for ransomware moving forward. That’s why it’s essential for IT teams to recognize what devices are on their systems and make sure that only trusted, secure devices can be added. You don’t want bad actors to be able to connect devices to your IoT solution that aren’t genuine, running trusted software or working on behalf of a trusted user.
2.You can’t manage what you don’t know: As the number and types of assets increase exponentially, so do the tools that we use to manage them. In the past five to 10 years, things have gotten more complicated with the addition of BYOD, IoT and mobile devices, among others. Who is responsible for devices on the network that aren’t owned by the organization? Is it IT’s responsibility to understand which devices are accessing corporate resources? With access to email and corporate information on our smartphones and tablets, how can IT and security departments know whether those devices are secure? IT teams need to work with a solution that can manage it all. Instead of having several different endpoint solutions, it’s important to find one comprehensive solution that will allow you to discover all devices on your system, develop a comprehensive inventory, identify patches and firmware updates and integrate with your current system architecture to allow for complete asset and device management.
3. Standard patch hygiene is essential: Many organizations suffer from attacks because of a lack of patching. The ability to update and maintain remote device software securely is one of the most important components of good device management. The vast majority of successful attacks today are using known vulnerabilities in well-known software that have already been patched by software vendors. What that means is that most successful attacks, including WannaCry or NotPetya, for example, can be stopped just by knowing what’s out there and making sure it’s patched. Updating your devices is extremely important.
4. Be sure to follow the Principle of Least Privilege: Provide administrative privileges only to the people who need it. Enforce the minimal level of user rights, or lowest clearance level, that allows a user to perform their role. Least privilege also applies to processes, applications, systems and devices (such as IoT) in that each should have only those permissions required to perform an authorized activity. Forrester Research estimates 80% of today’s security breaches involve privileged credentials, which is why enforcing least privilege has become instrumental in reducing security risks.
5. Take immediate action: We are not seeing enough organizations do this. Data breaches happen often. To ensure the safety of yourself and your business, always be sure to change your password once a data breach has been disclosed. Also, enable two-factor authentication, update admin account security and regularly install security patches—all go a long way to bolstering your security footprint.
As the IoT industry continues to evolve, we’ll continue to see a greater push toward better levels of security. The network has become a clear focal point for enterprise security; to prevent intrusion and ensure that only proper devices have access, collaboration between security and network personnel will be key.