Balancing The Risk & Promise Of The Internet Of Things You can't defend against something you don't understand. So make sure you consider IoT's risks before embracing its functionality.
Businesses are just starting to realize both the promise and the risk of the Internet of Things (IoT). Some companies are being cautious and careful, but many are embracing the functionality enthusiastically and placing themselves in danger in the process.
It's important to note that the risk from IoT devices varies from company to company. Some have more risk because their IoT systems are connected directly to sensitive systems that can be compromised if there's a problem. Others have IoT systems isolated from business systems but don't realize that compromised IoT devices could still be used to attack others, causing reputation and trust damage.
Right now, businesses are largely in "wait and see" mode. They're not sure how and when to deploy IoT because most of the risks seem both unknown and substantial. There is no one device or type of device that is most at risk, however. For example, hacking an IoT device that stores sensitive data or is linked to an alarm system will have serious and immediate consequences, of course, but just getting onto the network is severe enough, even if that's through an unsuspecting light bulb or coffee machine. The connected nature of these products can create unintentional ports to other sensitive and critical systems, data, and devices. Once attackers have access to the network, they can steal data or damage systems. This is the real objective, regardless of how they get there.
To put it mathematically, the number of IoT devices being deployed multiplied by the insecurity of those devices multiplied by how hard it is to update them equals some idea of part of the risk that will be presented by IoT devices. The current bandwidth of distributed denial-of-service (DDoS) botnet attacks now exceeds 0.6 to 1 Tbit/s and the industry (in particular, network service providers) are struggling to adapt to the new bandwidth.
Advice for Securing IoT Devices: Know Thy System
The first step in securing IoT devices should be to deeply understand any system that's being considered for deployment. It really comes down to those devices that interact most with business systems and do so in a way that is not well understood by the security team and the business. The key part of protecting IoT systems of this type is understanding what they are, how they connect, and what their capabilities are.
Many IoT systems have a local Web server, a mobile application, listening network ports, and cloud connectivity. Using them normally often involves dozens of connections to third parties.
These are the issues that businesses need to examine and understand as they roll out IoT. They must first and foremost understand exactly what that IoT system is and all of what it can do. And it's not easy to tell this by listening to the marketing for the product, which can just add more confusion
Securing IoT devices generally requires an architecture review to fully grasp the various components of an IoT product's ecosystem and how it works, which should be followed by a security review of that architecture. The main risk to businesses from IoT — not fully understood at present — involves rolling out products connected to other business and operational technology systems. There's a concept in security called “Know thy system,” and it has never applied more than with IoT.
Too much of the present focus on risk involves prevention. At some point, we have to look at the other side of the risk equation (that is, risk = probability x impact) and focus on reducing the impact instead of trying to reduce probability.
DDoS botnet attacks are not the only way that IoT might behave badly. We could see attacks on confidentiality through server-side request forgery-based attacks in which criminals will attempt to steal money and data from a vulnerable server, and we'll see possible disruptions of integrity through modification of transaction or polling data. So all three points of the "CIA triad" — confidentiality, integrity, and availability — are really in play, it's just that DDoS is the most obvious and topical at the moment.
The bottom line is: you can't properly defend what you don't fully understand. I expect to hear much more about the possible downside of IoT. DDoS is just the beginning.
Daniel Miessler is director of advisory services with IOActive, and is based out of San Francisco. He has over 17 years of experience in information security, and specializes in application security with specific focus in web and application assessments, and helping ... View Full Bio