IoT
11/21/2016
10:30 AM
Daniel Miessler
Daniel Miessler
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Balancing The Risk & Promise Of The Internet Of Things

You can't defend against something you don't understand. So make sure you consider IoT's risks before embracing its functionality.

Businesses are just starting to realize both the promise and the risk of the Internet of Things (IoT). Some companies are being cautious and careful, but many are embracing the functionality enthusiastically and placing themselves in danger in the process.

It's important to note that the risk from IoT devices varies from company to company. Some have more risk because their IoT systems are connected directly to sensitive systems that can be compromised if there's a problem. Others have IoT systems isolated from business systems but don't realize that compromised IoT devices could still be used to attack others, causing reputation and trust damage.

Right now, businesses are largely in "wait and see" mode. They're not sure how and when to deploy IoT because most of the risks seem both unknown and substantial. There is no one device or type of device that is most at risk, however. For example, hacking an IoT device that stores sensitive data or is linked to an alarm system will have serious and immediate consequences, of course, but just getting onto the network is severe enough, even if that's through an unsuspecting light bulb or coffee machine. The connected nature of these products can create unintentional ports to other sensitive and critical systems, data, and devices. Once attackers have access to the network, they can steal data or damage systems. This is the real objective, regardless of how they get there. 

To put it mathematically, the number of IoT devices being deployed multiplied by the insecurity of those devices multiplied by how hard it is to update them equals some idea of part of the risk that will be presented by IoT devices. The current bandwidth of distributed denial-of-service (DDoS) botnet attacks now exceeds 0.6 to 1 Tbit/s and the industry (in particular, network service providers) are struggling to adapt to the new bandwidth.

Advice for Securing IoT Devices: Know Thy System
The first step in securing IoT devices should be to deeply understand any system that's being considered for deployment. It really comes down to those devices that interact most with business systems and do so in a way that is not well understood by the security team and the business. The key part of protecting IoT systems of this type is understanding what they are, how they connect, and what their capabilities are.

Many IoT systems have a local Web server, a mobile application, listening network ports, and cloud connectivity. Using them normally often involves dozens of connections to third parties. 

These are the issues that businesses need to examine and understand as they roll out IoT. They must first and foremost understand exactly what that IoT system is and all of what it can do. And it's not easy to tell this by listening to the marketing for the product, which can just add more confusion 

Securing IoT devices generally requires an architecture review to fully grasp the various components of an IoT product's ecosystem and how it works, which should be followed by a security review of that architecture. The main risk to businesses from IoT — not fully understood at present — involves rolling out products connected to other business and operational technology systems. There's a concept in security called “Know thy system,” and it has never applied more than with IoT.

Too much of the present focus on risk involves prevention. At some point, we have to look at the other side of the risk equation (that is, risk = probability x impact) and focus on reducing the impact instead of trying to reduce probability.

DDoS botnet attacks are not the only way that IoT might behave badly. We could see attacks on confidentiality through server-side request forgery-based attacks in which criminals will attempt to steal money and data from a vulnerable server, and we'll see possible disruptions of integrity through modification of transaction or polling data. So all three points of the "CIA triad" — confidentiality, integrity, and availability — are really in play, it's just that DDoS is the most obvious and topical at the moment.

The bottom line is: you can't properly defend what you don't fully understand. I expect to hear much more about the possible downside of IoT. DDoS is just the beginning.

Related Content:

Daniel Miessler is director of advisory services with IOActive, and is based out of San Francisco. He has over 17 years of experience in information security, and specializes in application security with specific focus in web and application assessments, and helping ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Charlie Babcock
50%
50%
Charlie Babcock,
User Rank: Ninja
11/28/2016 | 7:37:52 PM
Needed, a machine-learning watchdog
I think IoT will be safe only when each device has a security profile, along with a watchdog, machine learning system knowing its normal activity and investigating whenever it departs from the norm. A rules engine should be available to rule on whether a new activity is allowed or of a suspicious character. There are just too many connections and dependencies within IoT to seal off all possible intruders.  
Register for Dark Reading Newsletters
Dark Reading Live EVENTS
INsecurity - For the Defenders of Enterprise Security
A Dark Reading Conference
While red team conferences focus primarily on new vulnerabilities and security researchers, INsecurity puts security execution, protection, and operations center stage. The primary speakers will be CISOs and leaders in security defense; the blue team will be the focus.
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: No, no, no! Have a Unix CRON do the pop-up reminders!
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
The Impact of a Security Breach 2017
The Impact of a Security Breach 2017
Despite the escalation of cybersecurity staffing and technology, enterprises continue to suffer data breaches and compromises at an alarming rate. How do these breaches occur? How are enterprises responding, and what is the impact of these compromises on the business? This report offers new data on the frequency of data breaches, the losses they cause, and the steps that organizations are taking to prevent them in the future.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.