Now is the time to deal with IoT security
3 January 2018 | 0
There is much concern in the world of enterprise security for the state of the Internet of Things. It has been described as a “ticking time bomb.”
In order to discern signal from the noise, Srini Vemula, global product management leader and security expert at SenecaGlobal, discussed what is really at risk, as the world hurtles toward 2020 and an estimated 20.4 billion connected devices.
Why is IoT so vulnerable?
According to Vemula, the “minimal footprint” of IoT software and hardware cuts down on traditional malware protection strategies. Plus, he said, buyers of consumer products, ranging from children’s toys to pacemakers and cars, are not primed to think of security issues. On a larger scale, he added, “critical infrastructures like electricity, irrigation and defence are now connected,” creating juicy targets for digital mayhem from criminal gangs to rogue nations.
The problems are hardly theoretical. Apparently, IoT malware has already infected more than 1 million organisations. Everything from ransomware to hacking into healthcare, manufacturing, and media is already costing big bucks leading to myriad lawsuits.
Biggest IoT security problems
Vemula laid out some of the biggest IoT-related security problems that have already occurred:
- Mirai: Last year, the Mirai botnet attack brought down a significant portion of the internet by exploiting factory default and hardcoded passwords.
- DDoS attacks in 2016: Embedded utilities running on CCTV devices were hacked on a jewellery store.
- DDoS attacks on a security journalist site: Using more than 500,000 internet-connected cameras, attackers generated 660 Gbps of traffic, causing Akamai, the company providing protection for the site, to let go when it became too costly to hold off that amount of traffic.
- Persirai botnet: More than 100,000 IP-connected cameras were attacked, giving the hackers access to the cameras’ internet feed.
Despite these examples, and many others, many companies still think IoT security is something they will need to worry about in a few years. Not surprisingly, Vemula believes that approach is dangerously complacent.
How can enterprises boost their IoT security?
Fortunately, it is never too late for companies to take action to mitigate their IoT-related risks. Vemula shares a handful of actions he says can make a real difference:
- Build devices based on security-hardened platforms. By hardened, he means operating systems fine-tuned to be secure. Additionally, he says, “IoT architectures should support patching of software at scale.”
- Adopt standard IoT security controls. Vemula offers NIST (800-53) as an example.
- Make sure IoT devices have a workflow that enables and encourages changing default passwords. As Vemula notes, buyers of connected devices do not automatically think, “Oh! Let me secure these first!” So, designers have to make security precautions an easy and expected part of using the product.
- Subscribe to security services, and act on all threat reports in the wild. When IoT exploits appear in the real world, it’s critical that IoT users and vendors apply patches immediately to minimise the danger of of zero-day vulnerabilities. Knowing about a problem and not doing anything about it does not make you any safer.
- Understand that building in rock-solid security can be at odds with building fast and keeping products affordable. It’s not always possible to build secure products and networks quickly and inexpensively. Given that, enterprises have to intelligently prioritise their security resources depending on the usage of given device—to get the most bang for their security buck.
Ultimately, it is not certain these suggestions are enough to defuse the “ticking time bomb” and head off the IoT “security apocalypse,” but they do go some way towards ensuring that security is addressed, and it is a lot better than doing nothing.
IDG News Service