nuruddean - Fotolia
The rapid growth of the internet of things (IoT) has vastly expanded cyber criminals’ attack vector options. Millions of connected devices – many of them lacking basic security features or that are deployed using default passwords – have provided new gateways into networks around the world, in homes and businesses alike.
In 2016, a large-scale Mirai botnet distributed denial of service (DDoS) attack was launched. This attack was partly enabled by poorly protected CCTV cameras that were connected to the internet. It took down a significant chunk of internet access on the east coast of the US.
To rush items to market, many manufacturers – particularly on the consumer side – configure devices with weak (or no) security credentials. To demonstrate the nature of these threats, Barracuda Labs recently conducted tests on an IoT security camera.
Cyber criminals can leverage vulnerabilities in the web and mobile applications used by IoT devices to acquire credentials, which can be used to control the device or read account information. Attackers can also use those credentials to load their firmware and repurpose a connected device to attack other devices on the network.
These attacks rely on functionality that allows users to share device access to the connected camera with other users. As a result, the devices can be compromised without any direct connection to the device itself.
There have been some efforts to legislate improved security in IoT devices. US Congress introduced the Internet of Things Cybersecurity Improvement Act of 2017 to set standards for IoT devices sold to the federal government. The bill includes requirements for patches and updates, password coding and other features. Unfortunately, it never became law – it’s still in review.
Jason Howells, Barracuda MSP
California, meanwhile, has passed an IoT cyber security law that goes into effect in 2020, requiring manufacturers to equip devices with “reasonable” security features. Additionally, IoT devices that are outside of a local area network must be configured with a unique password or allow the user to generate a new means of authentication before using it.
A multifaceted security problem
Passwords are only part of the problem. Since legislation and standards are still in development and many IoT devices come from a variety of different countries and manufacturers, managed security service providers (MSSPs) will need to protect their customers by helping them “harden” their IoT investments.
Since clients may be deploying these solutions on their own or with other providers, it’s vital to conduct a review and have a conversation about how connected devices can impact security. After that, there are a few additional strategies that can help:
- IoT requires a network-level security and enforcement approach since many connected devices don’t have the computing power or space to deploy endpoint security. There are a large number of connected devices that may not be immediately recognisable on the network. Network-level security can help nail down enforcement across the entire ecosystem.
- Can the IoT device retain data? Some don’t have that kind of memory capacity, but others do. Make sure your customers understand that, and, if necessary, create policies to make device data anonymous or reduce its storage lifespan. Also, ensure that data collected via IoT devices can be securely stored in a way that is compliant with emerging regulations such as the General Data Protection Regulation (GDPR) in Europe or the Personal Information Protection and Electronic Documents Act (PIPEDA) in Canada.
- IoT devices generate a lot of data. Leverage artificial intelligence (AI) and machine learning (ML) to help trigger security responses based on device behaviours. The data can be used to help train these neural networks and improve their performance over time.
- Include IoT devices in update and patch procedures and routines, and make sure connected devices are protected by security policies and strong encryption. Also, make sure passwords and credentials can be changed upon installation and regularly updated.
- Consider segregating IoT devices on a separate network.
- Pay attention to routers and firewalls. Many IoT attacks start at the router or quickly find their way there.
- Encourage clients to work only with vendors that take security seriously. Low-cost hardware from overseas manufactures is notoriously vulnerable to cyber attacks. Select vendors that understand the threat and can detail exactly how their devices are protected.
- Develop a contingency plan in case IoT devices (like a network of security cameras, for example) are pulled into a DDoS or similar attack. That plan should involve not only quarantining affected devices but also protocols for operating without them once they go offline.
Your clients may already have IoT-enabled devices on their networks, and the number of devices will only increase moving forward. By taking a proactive approach to including IoT devices in your security programme, MSSPs can play an instrumental role in educating clients, preventing network breaches and providing better service.
Read more about IoT security
- Focusing the right people, processes and technology on IoT cyber security is a win-win; it can improve security operations and the success of IoT initiatives.
- Non-tech manufacturers building IoT devices combined with resource constraints is a recipe for disaster. It’s the reality of IoT security issues, and the problem isn't going away.
- Security concerns are preventing many businesses from adopting IoT-based technologies, but with a bit of planning, the business benefits can be realised by mitigating the risk.