Saryu Nayyar, CEO of Gurucul | Forbes
The Internet of Things (IoT) is driving transformational change in IT infrastructures. Connecting everything — printers, medical devices, cameras, industrial devices, door locks, cars, etc. — to the network, the cloud or both is creating a vast, porous security perimeter.
In fact, it’s largely undefendable using traditional security architectures.
The security problem will only grow more complex. A study conducted by 451 Research (via Yahoo Finance) estimates that “the number of IoT connected devices (excluding PCs, smart TVs, and game consoles) will be approximately 8 billion in 2019 and reaching nearly 14 billion in 2024,” while a report from the International Data Corporation (via MarketWatch) forecasts that worldwide spending on IoT will reach $745 billion in 2019.
Increased connectivity means increased security threats. From my experience, many IoT products don’t get regular updates, while some can’t be updated. This exposes devices to potential cyberattacks that target vulnerabilities in outdated hardware and software.
In addition, most IoT devices come with default passwords that can be easily compromised using publicly available password lists and automated searches for particular devices. Others have weak credentials that are susceptible to brute-force password hacking.
The exponential growth in IoT devices has led to more ransomware, malware and botnet attacks that are specifically targeting certain equipment. The Mirai botnet is a recent, high-profile example. Using a distributed denial of service (DDoS) attack against infrastructure provider Dyn, it disabled much of the internet on the U.S. East Coast on October 21, 2016. Mirai took over poorly secured IoT devices like security cameras, DVRs and routers by logging in using default passwords. In comparison, smaller, more targeted attacks can easily evade detection by conventional security products.
There are also communication security issues. Some IoT devices send unencrypted messages to the network, which can lead to data being intercepted.
Meanwhile, traditional IT security models are ill-equipped to address IoT risks since these devices lack built-in monitoring and control capabilities. IoT also breaks perimeter-based security that assumes devices inside the network can be trusted. To complicate matters, many IoT devices are added to the network without IT’s knowledge, where they remain undocumented and unmanaged.
From my experience, the first step your company should take to implement an IoT security strategy is to enforce a strict password policy. IoT devices lack role-based access and privileged delegation controls, and they also use scaled-down operating systems, which pose a potential security vulnerability.
Therefore, you should change all default passwords, with each device being given its own unique, cryptographically complex password. This should prevent devices from being hijacked by automated attacks that scour the internet for devices with default credentials, and it should also reduce the risk of an organization falling victim to brute-force attacks.
In addition, your organization should apply security updates in a timely fashion and request service-level agreements from IoT vendors for patching new vulnerabilities before equipment is deployed. If a vendor doesn’t issue patches in acceptable time frames, you should either request that it does or find another supplier.
You’ll also want to use access control lists within the network to segment IoT traffic and prohibit unauthorized lateral communications, including monitoring and controlling remote access to IoT devices, and you should remove all end-of-life devices.
Another approach involves using machine learning models to learn what constitutes normal behavior for an IoT device and monitor its activity to detect anomalies as they occur. This requires a mature User and Entity Behavior Analytics (UEBA) system capable of monitoring large numbers of IoT devices in real time.
Machine learning provides the force multiplier needed to monitor for IoT security threats at scale. While IoT devices are not complicated equipment in and of themselves, connecting hundreds, thousands or more of them to the network creates a massive attack surface that can be difficult to protect using traditional methods. Machine learning can quickly weed out IoT anomalies since these devices perform a singular or narrow set of functions. It’s not like trying to find a needle in a haystack but rather a needle in your shoe.
The number and type of IoT devices in place — and the risk factor if they are compromised (i.e., medical, water treatment, electric grid, etc.) — will determine whether basic security hygiene steps are sufficient or if more active monitoring and threat detection capabilities like machine learning analytics are required.
External Link: IoT Has Spawned Entity-Based Risks — Now What?