News

5/14/2018
05:00 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Shadow IoT Devices Pose a Growing Problem for Organizations

An Infoblox survey shows many companies have thousands of non-business Internet of Things devices connecting to their network daily.

The task of managing unsanctioned devices on enterprise networks is becoming a whole lot harder at many organizations with the growing use of personally owned Internet of Things (IoT) products in the workplace.

Infoblox recently commissioned a survey of 1,000 IT directors in the US, UK, Germany, and the UAE to understand the security implications of shadow devices on organizational networks. Thirty-five percent of the respondents from the first three countries reported more than 5,000 non-business devices connected to their enterprise network every single day. One-third of the respondents from US, UK, and Germany reported more than 1,000 shadow-IoT devices connected to their network on a typical day.

Thirty-nine percent of the respondents from the US and UK said they used personal devices while connected to the enterprise network to access social media; 24% reported using the devices to download apps, while 13% did so to access games.

The most common unsanctioned IoT devices on enterprise networks included fitness trackers, such as Fitbit and Gear Fit; digital assistants, such as Google Home and Amazon Alexa; smart TVs; and smart kitchen devices, such as connected microwaves and kettles.

The proliferation of such devices significantly increases the security burden for organizations, says Sean Tierney, director of cyber intelligence at Infoblox. As it is, security administrators have an enormous task simply managing the sanctioned devices on the enterprise network. Over 75% of the organizations in the Infoblox survey, for instance, reported having more than 1,000 company-supplied devices, including laptops and tablets on the network.

The challenge of managing these devices has been compounded by explosion in the number of insecure and unsanctioned IoT devices being added to company networks, Tierney says. "Due to the poor security levels of many of these consumer devices, there is a very real threat posed by these connected devices operating under the radar," he says. "These insecure and vulnerable devices present a weak entry point for cybercriminals into the network, and a serious security risk to the company."

Data exfiltration is one major threat. Improperly secured IoT devices can provide cybercriminals an entry point for breaking into the broader enterprise network and stealing data from it via methods like DNS tunneling, for instance, Infoblox said in its report.

As Mirai demonstrated in late 2016, vulnerable IoT devices on enterprise networks can also be hijacked and used in large-scale distributed denial-of-service attacks and other malicious campaigns. In addition, IoT devices and networks themselves can become targets of malicious attacks, such as ransomware. "Whether it comes down to neglect or ignorance, it is clear that organizations cannot rely upon employees to follow their security policy for connected devices," Tierney says.

Exacerbating the situation is how easy it is for cybercriminals to find vulnerable IoT devices on enterprise networks. Search engines like Shodan make it trivial for criminals to find connected devices and the services they might be running like HTTP, FTP, SSSH, and SNMP. In March 2018, a search that Infoblox conducted showed there were nearly 6,000 identifiable webcams openly accessible via the Web in the UK, some 2,350 smart TVs in Germany, and 1,571 Google Home devices in the US.

Many companies appear aware of the threat. Eighty-two percent of the respondents in the Infoblox survey said their employers had policies in place for dealing with connected devices. Unfortunately, there appears to be a clear disconnect between IT leaders and employees over the effectiveness of these policies.

Eighty-eight percent of IT leaders in the US and UK believed they had an effective policy in place for mitigating security risks from connected devices. But a full 24% of employees represented in the survey said they did not even know such policies existed, while a bare 20% of the people who professed knowledge of these policies actually abided by them.

"Enterprises need to do a better job of communicating the dangers that insecure devices can pose on a company network," Tierney says. Convenience is often top of mind when users connect personal devices to the enterprise network. "Security is often an afterthought when it comes to shadow devices," he notes. The reality is that ineffective policies can cost an organization thousands of dollars in both downtime and brand reputation in the event of a cyberattack.

"Organizations need to decide if they will approach risk through mitigation, transfer, or acceptance," Tierney says. Effective policies should reflect the culture of the organization and employee behavior, in addition to the reality of the risk the organization is willing to accept. "Policies should also incorporate measures for determining their effectiveness through testing or monitoring," he says.

Related Content:

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Valentine's Emails Laced with Gandcrab Ransomware
Kelly Sheridan, Staff Editor, Dark Reading,  2/14/2019
High Stress Levels Impacting CISOs Physically, Mentally
Jai Vijayan, Freelance writer,  2/14/2019
Mozilla, Internet Society and Others Pressure Retailers to Demand Secure IoT Products
Curtis Franklin Jr., Senior Editor at Dark Reading,  2/14/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-5780
PUBLISHED: 2019-02-19
Insufficient restrictions on what can be done with Apple Events in Google Chrome on macOS prior to 72.0.3626.81 allowed a local attacker to execute JavaScript via Apple Events.
CVE-2019-5781
PUBLISHED: 2019-02-19
Incorrect handling of a confusable character in Omnibox in Google Chrome prior to 72.0.3626.81 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted domain name.
CVE-2019-5782
PUBLISHED: 2019-02-19
Incorrect optimization assumptions in V8 in Google Chrome prior to 72.0.3626.81 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page.
CVE-2019-5783
PUBLISHED: 2019-02-19
Missing URI encoding of untrusted input in DevTools in Google Chrome prior to 72.0.3626.81 allowed a remote attacker to perform a Dangling Markup Injection attack via a crafted HTML page.
CVE-2019-5766
PUBLISHED: 2019-02-19
Incorrect handling of origin taint checking in Canvas in Google Chrome prior to 72.0.3626.81 allowed a remote attacker to leak cross-origin data via a crafted HTML page.