On Friday October 21, a massive distributed denial-of-service (DDoS) attack was launched against Dyn, an internet infrastructure company. The attack came in at least three waves and made it impossible to access a range of very popular websites, including Twitter, Amazon, Netflix and many others. The attack appears to have been launched by a piece of malware, called Mirai, which scours the web for internet of things devices and then enlists those devices to attack a targeted website.
A similar attack was unleashed a month before on the security news site KrebsOnSecurity. That attack was carried out by some 145,000 IoT devices and was described as a giant botnet hijacking internet-connected things, including smart cameras and light bulbs.
These attacks caused significant disruption and are likely to have been costly for the companies affected, but they have also accomplished something good. By calling attention to the widespread infection of IoT devices, the DDoS attacks have spurred a long overdue discussion about the sizable gaps in their security.
What types of devices are connected?
When we talk about IoT, we mean all those devices that communicate and can be accessed via the internet based on their IP addresses. They include traditional office equipment like printers, copiers and video projectors, as well as the televisions in the conference room and reception areas. They also include less obvious devices, like the refrigerator and coffee maker in the break room. An increasing number of other equipment — such as climate control systems, motion detectors, and security and lighting systems — are also equipped with intelligence and remote access, so they can be controlled over the internet. Production systems are moving forward with IP-based machinery and industry 4.0. Last but not least, employees’ personal devices — such as ubiquitous smartphones or smartwatches — play a role in a company’s security.
All these internet-connected devices create access points with which hackers can infiltrate a company’s network and due to the wide range of devices and technologies, it is difficult to implement a cohesive security strategy. But the Krebs attack showed that it is no longer science fiction to imagine that a company could be attacked through these devices. The time has come to define policy for them and put protections in place.
Where does the risk come from?
The main problem with IoT devices is that their manufacturers have been slow to implement security. Many devices, like security monitoring cameras, are produced as inexpensively as possible and are accordingly equipped with the most basic software, which often can’t be updated.
As awareness increases, some “smarter” IoT devices can be brought up to current security standards with periodic firmware updates. While it’s a start, the majority of internet-ready devices cannot be integrated into the conventional IT hardware or software protections with which companies protect themselves against internet-based attacks. The variety of new internet-ready devices brings a mass of new data traffic to the network that must be managed and secured by IT departments. But it’s complicated by the variety of network protocols used by all of these various device types.
The consumerization of IT is another factor due to the increasingly permeable borders between devices for personal use and those for business. New challenges arise as new device categories like smartwatches communicate with the internet. The integration of personal devices into a security strategy is important because more and more attacks on companies are started specifically against individual employees. If a personal device is infected with malware, it can be used to gain a foothold and wreak havoc the next time it connects to the company’s network.
Who should be responsible for securing IoT communications such as the copier that sends data about usage and orders toner over the internet? Does this security — along with the protection of all the company’s data and assets — fall under the CISO’s domain? Defining who owns responsibility for IoT security is an important first step.
Inventory the IoT devices in your company
Without knowing which devices exchange data within the network or the internet, there is no way to develop an adequate security strategy. After an extensive inventory of all internet-ready devices, the IT department will have the opportunity to secure the flow of data against malware or unauthorized communication behavior.
In theory, a company should evaluate every single device that is added to the network. While servers, desktops and laptops are tested extensively — and even mobile devices are getting more attention from administrators — countless additional devices are often ignored even though they actively communicate over the network. It is also important to consider all network devices for penetration testing to determine what data they send on the internet. Some of this data is harmless, but it can be used as the basis for an attack when combined with other information.
Company guidelines should be updated to include the use of IoT devices. They should, for example, define which devices are permitted on the company network and what data exchange with the network or the internet is wanted. Unwanted traffic can be prevented with the right security technology.
New security mechanisms are required
IoT introduces additional complexity for security. Companies are advised to monitor the data traffic to and from IoT devices in their network. Perimeter-based solutions are not adequate in today’s IT environment because users and apps can no longer be contained inside a company’s network, behind a clearly defined protective wall.
Companies should evaluate new security concepts that have already proven reliable as workplace tools of mobile employees and branch locations. For example, a protective shield from the cloud can scan all incoming and outgoing data traffic for malicious code, regardless of the device used. With cloud solutions, companies gain control of all internet-based traffic and can actively manage which communications are permitted or should be blocked. This can include preventing the printer from automatically ordering toner and restricting all other devices to a minimum amount of communication on the web.
All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.