Dimension Data believes that in order to leverage the benefits the IoT will offer, organisations will need to adopt IPv6 more broadly across their infrastructures. With only a small group of enterprises’ network devices supporting IPv6, it exposes them to unnecessary risk, particularly given the dawn of the IoT and the demands this will place on corporate networks to adopt the new standard.
Obsolete tolerance
“During the seven-year history of our report, the average tolerance level for organisation’s obsolete devices in their networks has been around 10%. Rarely do organisations allow this to increase beyond 11% before they refresh the relevant devices. The conventional assumption was that an overall technology refresh was imminent but our data shows that organisations are refreshing mostly obsolete devices,” said van Schalkwyk.
“They are willing to sweat their aging devices for longer than expected. Organisations therefore focus their refresh initiatives mostly on technology that has reached critical lifecycle stages when vendor support is no longer available.”
We’re also seeing IoT technology being consciously adopted by the enterprise. The worry here is the frankly disgraceful security record we see with most IoT devices so far, almost without exception, James Lyne, Sophos
Nightmare scenario
If this is how the average company treats its mobile devices – technology used to access and store significant kinds of data – then what will happen when IP-enabled access devices proliferate in the enterprise space in potentially large numbers? The nightmare scenario is that many IoT applications will be deployed with minimal attention from a security point of view.
“This already represents a major challenge to the enterprise in the form of consumer devices creating new end points to the corporate network. We’re seeing IP-enabled devices casually appearing left, right and centre in people’s homes where there are VPN connections back to the office and in the workplace where people connect them without thinking this through,” said James Lyne, global head of security research with Sophos.
“We’re also seeing IoT technology being consciously adopted by the enterprise. The worry here is the frankly disgraceful security record we see with most IoT devices so far, almost without exception.”
Lyne points to research Sophos has done, including an experiment in which it acquired 12 IP-enabled CCTV cameras, all designed to be connected to the cloud and remotely monitored. Of the 12, only one didn’t have a high severity security failure.
“This means with all but one of them, we were able to remotely gain access to it without a username or password from anywhere on the web. Seven of them were still vulnerable to Heartbleed, an OpenSSL security flaw which was exposed over a year ago, with no patches available to make them secure,” he said.
“The remainder, with the exception of one, weren’t vulnerable to Heartbleed because they didn’t bother using SSL, so all their traffic wasn’t even encrypted. They were accidentally secure for reasons of incompetence.”
Hacker incentives
While many IoT technologies today make use of low cost, low functionality RFID tags to automate mundane and often low value, high volume processes, there is minimal incentive for hackers to bother targeting them. But as the technologies mature and become more ubiquitous, this situation will change.
“As people start to do more complex things with more high value items and processes, then the appeal to hackers will increase. Already these devices, compared to simple technologies like RFID, have significant interest to hackers. They have IP-addresses and are connected to networks. That’s often enough to catch someone’s eye,” said Lyne.
“We’ve seen attacks jump from poorly defended printers into corporate networks and the principle is largely the same — it’s about network access points. Many of these devices are the same level of sophistication, running old versions of Linux or custom versions of android. They are to all intents and purposes computers, but they’re not treated like that by security professionals.”
Subscribers 0
Fans 0
Followers 0
Followers