IoT is everywhere. From the moment Alexa wakes us up to our morning commutes--consumers are more adjusted to the IoT sector than they may know. In fact, according to data from IoT Analytics, there are about 7B internet-connected devices and that number is only expected to grow in the next few years -- about 21.5B by 2025.
However, as the world continues to rush head-first into taking all manner of devices and systems online, serious security implications have emerged. Each new connected device, whether it’s an internet-connected garage door opener, a doorbell, a thermostat or even a box of connected light bulbs has the potential to expose very real vulnerabilities.
Other industrial IoT devices-- think smart city infrastructure, remote health monitoring and disease detection, crop monitoring, accident prediction and detection, traffic monitoring-- the list goes on-- can have even more dire consequences. The slightest misconfiguration or poor security practices can serve as a point of entry for sophisticated cyber-attacks, security breaches and data theft.
Since IoT is a network of connected devices, a single compromised device holds the potential to take down an entire network, crippling an organization.
This is due in part to the lack of defenses in ageing firmware or architectures, as well as a general lack of infosec housekeeping. Among today’s organizations, many IT departments are not even aware of many of the devices on their networks, making the task of patching security issues nearly impossible.
According to a recent report by the Ponemon Institute, in 2017, only 15% of survey participants had suffered an IoT-related data breach. That number jumped to 26% in this year’s report, which surveyed 625 risk management and governance experts. When asked whether it is likely that their organizations will experience a cyber-attack such as a denial-of-service (DoS) attack caused by unsecured IoT devices or applications in the next 24 months, 87% of respondents said yes.
Unfortunately, when we look at existing Internet standards, it’s clear that most did not have the vision to include IoT, as it an emerging concept and use cases, devices, etc. are still continuing to evolve. Add to this, many of today’s IoT devices have also been deployed using proprietary protocols which makes communication between multiple IoT devices very difficult.
It also makes standardization more complicated. With tens of thousands of companies jostling for space across very diverse industries, arriving at standardization will take time.
However, there are steps that IT teams can take today to address their security needs as the industry comes together to create more comprehensive standards. Here’s what IT teams need to know about managing IoT devices and minimizing endpoint vulnerabilities:
- Every device is an attack vector for ransomware attacks: In fact, IoT may even be the preferred route of attack for ransomware moving forward. That’s why it’s essential for IT teams to recognize what devices are on their systems and make sure that only trusted, secure devices can be added. You don’t want bad actors to be able to connect devices to your IoT solution that aren’t genuine, aren’t running trusted software, or aren’t working on behalf of a trusted user.
- If you don’t know what you have and where it’s at, you can’t manage it: As the number and types of assets increase exponentially, so do the tools that we use to manage them. In the past five to 10 years, things have only gotten more complicated with the addition of BYOD, IoT, mobile devices among others. For example, who is responsible for devices that aren’t owned by the organization? Is it IT’s responsibility to understand which devices are accessing corporate resources? With access to email and corporate information on our smartphones and tablets, how can IT and security departments know whether those devices are secure? IT teams need to work with a solution that can manage it all. Instead of having several different endpoint solutions, it’s important to find one comprehensive solution that will allow you to discover all devices on your system, develop a comprehensive inventory, identify patches and firmware updates and integrate with your current system architecture to allow for complete asset and device management.
- Standard patch hygiene is essential: Many people and/or organizations who suffer from attacks do so due to lack of patching. The ability to update and maintain remote device software securely is one of the most important components of good device management. The vast majority of successful attacks today are using known vulnerabilities in well-known software that have already been patched by software vendors. What that means is that most successful attacks, like WannaCry or NotPetya for example, can be stopped just by knowing what’s out there and making sure it’s patched. Updating your devices is extremely important.
- Be sure to follow the Principle of Least Privilege: Only provide administrative privileges to the people who need it. Enforce the minimal level of user rights, or lowest clearance level, that allows a user to perform his/her role. Least privilege also applies to processes, applications, systems, and devices (such as IoT), in that each should have only those permissions required to perform an authorized activity. In fact, Forrester Research estimates 80% of today’s security breaches involve privileged credentials, which is why enforcing least privilege has become instrumental in reducing security risks.
- Take immediate action: We are not seeing enough organizations do this. Data breaches happen often. To ensure the safety of yourself and your business, always be sure to change your password once a data breach has been disclosed. Also, enabling two-factor authentication, updating admin account security, and regularly installing security patches goes a long way to bolstering your security footprint.
As the IoT industry continues to rapidly evolve, we’ll continue to see a greater push towards better levels of security. The network has become a clear focal point for enterprise security and to prevent intrusion and ensure that only proper devices have access, collaboration between security and network personnel will be key.