Despite the hype surrounding "Internet of Things" security risks, it's not a high-priority concern for enterprises,...
Verizon researchers say. At least not yet.
Others, however, paint a grim picture of the expanding threat, though some wonder if the trend is merely being used to spread fear, uncertainty and doubt.
The term Internet of Things has become a hot IT buzzphrase, as demonstrated by the agenda at next week's RSA Conference 2015 in San Francisco, where the topic has seen a 450% increase in submission popularity over 2014.
However, in its 2015 Data Breach Investigation Report (DBIR), released Tuesday, Verizon downplayed the fad, specifically saying that "no widely known IoT device breaches have hit the popular media," and any IoT attacks in the news were only proof of concept.
"After filtering out the hype and hypotheticals," the report reads, "There were few incidents and little data disclosure to report for 2014."
Despite how the DBIR downplays the IoT, other outlets have been quick to jump on the bandwagon, outlining the security implications IoT could potentially have on enterprises and individuals alike. The mystery surrounding IoT -- and the trouble defining it -- has created anxiety of the trend.
A report released Wednesday by Boston-based security firm Pwnie Express outlines the risks associated with the IoT attack surface that has "expanded well beyond the visibility of today's monitoring and intrusion detection systems."
The Internet of Evil Things report cites a prediction that the world will have 40.9 billion IoT devices by 2020. Verizon researchers, by contrast, believe there will be only 5.4 billion IoT devices by the end of the decade.
Out of the 600 infosec professionals polled by Pwnie Express, 83% expressed concern about rogue devices, and only 31% claimed to have full visibility of all wireless devices on their networks.
The research, which also tested more than 250,000 wireless devices, warned of a "critical tipping point in enterprise security," in which IoT devices must be both defined and protected against.
Notably, Pwnie Express found 83% of HP printers were IoT security risks because they were deployed in highly vulnerable default configuration states. It also concluded 69% of open network wireless access points lacked encryption.
While Pwnie Express admittedly has a bleaker outlook on Internet of Things security risks, Verizon researchers also believe IoT will be a future concern, but this should not lead to immediate "widespread panic." DBIR researchers said IoT will create a challenge when it comes to securing PII, and they wouldn't be surprised if there was a breach originating with an IoT device over the next year.
Other companies have also noted both the risks of IoT and the need to balance its pitfalls with its benefits. Hewlett-Packard Co. released a report in August 2014 stating that 10 IoT devices it tested contained more than 250 flaws. General Motors Co. announced in September it hired its first cybersecurity manager to address the growing threats of IoT devices. The FTC released a report in January that highlighted several IoT security best practices.
In other news
- A report released Tuesday by Aruba Networks Inc. disclosed the security vulnerabilities companies face due to the lax security attitudes of what it calls "#GenMobile" -- described as a "group of people for whom smartphones have gone beyond personal entertainment and BYOD." The report, which surveyed more than 11,500 employees in 23 countries, found 31% of respondents lost data due to mobile device misuse. The report also disclosed that while 51% of respondents believe mobile technologies enable them to be more productive, more than a third of businesses don't have mobile security policies in place. Six in 10 of those polled admitted they shared work and personal devices with others; 70% said they have told or would consider telling others their passwords. Additionally, the survey found security ranks fifth behind brand and operating system when employees are purchasing new devices.
- The U.S. Government Accountability Office released a report Tuesday revealing modern communications make aircraft vulnerable to attack. According to the report, newer aircraft with Internet Protocol connectivity and other modern communication technologies may be vulnerable to both hackers using in-flight Wi-Fi and individuals on the ground, regardless of firewall protections. Additionally, because the Wi-Fi used for critical systems is the same as that used by passengers, malware infecting a passenger device could potentially infect the entire system. However, the attacks described in the report are all proof of concept, and report author Gerald Dillingham told CNN that despite the vulnerabilities, there are redundancy mechanisms built into planes allowing pilots to mitigate and correct these issues.
- In a joint report released Tuesday, ISACA and RSA Conference found that despite the increase in both the number of cyberattacks and need for cybersecurity, there is still a lack of skilled talent prepared to address them. In State of Cybersecurity: Implications for 2015, more than 82% of the ISACA certification holders and RSA conference constituents that responded to the survey believed their organization would experience a cyberattack in 2015. However, when it came to hiring security personnel, there is a skills gap; more than 72% of survey respondents said potential employees were unable to understand the business, and more than 46% did not have the skills necessary. The organizations also found it took 53% of respondents at least three to six months to fill an open position, with nearly 10% unable to fill it at all.
Check out the top seven enterprise risks of the Internet of Things