Attacks/Breaches

2/4/2019
10:30 AM
Saumitra Das
Saumitra Das
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
100%
0%

IoT Security's Coming of Age Is Overdue

The unique threat landscape requires a novel security approach based on the latest advances in network and AI security.

Security always lags behind technology adoption, and few technologies have seen growth as explosive as the Internet of Things (IoT). Despite the rapid maturation of the market for connected devices, security has been an afterthought until now, creating an unprecedented opportunity for hackers worldwide.

It's 2019 and the industry is overdue for a new, comprehensive security model for connected devices — one that reflects the challenges of protecting IoT's position at the confluence of software and device security. The unique threat landscape requires a novel security approach based on the latest advances in network and artificial intelligence (AI) security.

What's at Stake
Cisco estimates the number of connected devices will surpass 50 billion by 2020. Enterprises are on pace to invest more than $267 billion in IoT tools during that same time. Attacks on IoT devices rose by 600% in 2017, reflecting both security vulnerabilities and the value of the targets. The NSA posted an advisory on smart furniture hacks, and the 2018 Black Hat and DEF CON conferences produced a stunning array of connected device attacks and security analysis.

The prevalence of connected devices and lack of comprehensive IoT security pose diverse risks for enterprises.

To start, altering or interrupting connected device performance alone can constitute a catastrophic breach — even one with life-or-death consequences. The Stuxnet attack famously sabotaged the Iranian nuclear program by causing as many as a thousand uranium enrichment centrifuges to malfunction and eventually fail. Attacks targeting power grid infrastructure have been detected abroad in Ukraine and the United States. Interference with consumer devices such as vehicles and pacemakers puts their owners at risk. Inside the enterprise, tampering with smart mining, manufacturing, or farming equipment could cause millions of dollars in damages in goods and equipment. The growing trend toward corporate ransom and hacktivism has expanded the pool of potential targets beyond scenarios where attackers can profit directly from a breach.

In addition to service disruptions, IoT systems are susceptible to breaches resulting in data loss. Data from manufacturing and consumer sensors can be valuable intellectual property. Lost data from consumer or enterprise devices can constitute privacy violations, as in the case of connected toys or even office-entry badge logs. Regulatory experts anticipate a "feeding frenzy" of legal cases stemming from IoT attacks in the coming years.

Following Data from Sensors to the Cloud
The IoT threat landscape includes elements of both centralized and dispersed systems. A typical architecture involves a large number of sensors collecting data, which is then consolidated and analyzed. Practically, we can group the vulnerabilities of IoT systems into two categories: the security of sensors and the security of data repositories.

Connected devices create liabilities at all stages of the security life cycle, from prevention to detection to remediation. The challenge of securing sensors begins with taking an accurate inventory. Many companies will be hard pressed to evaluate the security posture of all connected devices in use, from strategic enterprise equipment to connected devices in regional offices. Many connected devices lack basic security features found on laptops or smartphones. Default passwords, unpatched operating systems, network trust issues, and unhardened devices with open ports are all vulnerabilities endemic in IoT security. Finally, hardware may not support the capability to register that it has been tampered with, limiting the security team's ability to detect and respond to successful attacks.

The Internet of Things is inherently intertwined with cloud security. Most sensors have relatively limited processing capabilities and rely on cloud hosting to analyze data. These consolidated repositories create risks around access control, data security, and regulatory compliance. Gartner warns that at least 95% of cloud security failures will be the customer's fault, meaning misconfigured security settings will result in security incidents. Research on a sample of enterprise AWS S3 buckets found 7% with unrestricted public access and 35% unencrypted. Hundreds of millions of dollars in acquisitions for vendors dedicated to auditing and automating cloud security configurations attest to the breadth of this attack vector.

Leveraging the Strengths of IoT for Security
Companies have invested in IoT in the absence of robust security because of the business opportunities available from massive amounts of data and powerful analytics. Fittingly, IoT security solutions must lean on these same advantages.

First, IoT security fundamentally requires network-based enforcement. IoT sensors cannot support the same endpoint security solutions available for smartphones. The sheer number of devices a typical enterprise uses makes security at the device-level unfeasible. Applying security at the network level allows the enterprise to gain holistic visibility and enforcement across their IoT portfolio.  

Second, companies can use the large quantities of data coming from IoT devices to implement behavioral security with neural networks. The AI approaches in use today with IoT are simple statistical deviation or anomaly detection. They may find the needle in the haystack, but they will also see needles where they do not exist. The massive traffic coming from IoT systems allows for the training of neural networks to accurately detect malicious intent with greater accuracy, lowering the rate of false positives and alleviating alert fatigue.

Forcing existing enterprise security approaches onto IoT systems is doomed to failure. Securing the Internet of Things requires a combination of hardware and software security that contends with the unique risks and limitations of connected devices and data processing repositories. By tailoring security to the architecture of IoT systems in use, organizations can take advantage of all the benefits that technologies like the cloud and AI have to offer.

Related Content:

Saumitra Das is the CTO and Co-Founder of Blue Hexagon. He has worked on machine learning and cybersecurity for 18 years. As an engineering leader at Qualcomm, he led teams of machine learning scientists and developers in the development of ML-based products shipped in ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
2/15/2019 | 7:05:56 AM
Re: We need to improve, pronto
The bad guys ( all of them ) have nothing but TIME on their hands - they have all day to just THINK about how to bypass any security function and this is an incredible advantage.  WE have to deal with trying to out-think them while dealing with a few thousand corporate rules, regulations, budget and time issues.  We have an 8-12 hour working day standard.  The bad guys have 24 hour days all of the time.  There we have a mega disadvantage in effort and, besides,   I always believe we are forever 5 minutes behind the the bad guys all of the time. 
StephenGiderson
50%
50%
StephenGiderson,
User Rank: Apprentice
2/14/2019 | 9:35:31 PM
We need to improve, pronto
As technology evolves, so should security. However, in this rapidly progressing era, that unfortunately isn't the case. As we witness constant development of various technologies, we sadly also experience major lapses in security over various platforms. Consumer data is sacrificed affecting not only individuals but large corporations as well. Major loss of confidence has occurred over the course of just less than a decade and how can we seriously improve?
UdyRegan
50%
50%
UdyRegan,
User Rank: Apprentice
2/14/2019 | 2:01:46 AM
Many entry points..
The more connections you have to an information hub, the more security you're going to need. Every access point is a potential threat, of course. I'm pretty sure that you'll be able to find some good solutions to beef up the security of the data storage points though. That at least is one way to implement a bit of protection.
Saumitra Das
100%
0%
Saumitra Das,
User Rank: Author
2/4/2019 | 2:30:53 PM
Re: Blockchain
Blockchain for IoT is an interesting area for distributed trust between devices and the entities they interact with. However, security itself can be about the IoT device being tampered with in terms of transacting with other entities as well as being compromised itself leading to lateral movement in the enterprise. Additionally, many IoT systems are battery, CPU and network bandwidth constrained which can be challenging for deploying blockchain. Neural network based threat detection can help identify compromise early and has the potential to be a key enabler of this ecosystem.
blodgettcalvin
50%
50%
blodgettcalvin,
User Rank: Apprentice
2/4/2019 | 11:21:15 AM
Blockchain
In fact, there are already many protection technologies. The most popular is the blockchain system. Also, the development of neural networks makes itself felt and there will soon be a new system based on neural systems.
New Free Tool Scans for Chrome Extension Safety
Dark Reading Staff 2/21/2019
Making the Case for a Cybersecurity Moon Shot
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  2/19/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-6485
PUBLISHED: 2019-02-22
Citrix NetScaler Gateway 12.1 before build 50.31, 12.0 before build 60.9, 11.1 before build 60.14, 11.0 before build 72.17, and 10.5 before build 69.5 and Application Delivery Controller (ADC) 12.1 before build 50.31, 12.0 before build 60.9, 11.1 before build 60.14, 11.0 before build 72.17, and 10.5...
CVE-2019-9020
PUBLISHED: 2019-02-22
An issue was discovered in PHP before 5.6.40, 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.1. Invalid input to the function xmlrpc_decode() can lead to an invalid memory access (heap out of bounds read or read after free). This is related to xml_elem_parse_buf in ext/xmlrpc/libxmlrpc...
CVE-2019-9021
PUBLISHED: 2019-02-22
An issue was discovered in PHP before 5.6.40, 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.1. A heap-based buffer over-read in PHAR reading functions in the PHAR extension may allow an attacker to read allocated or unallocated memory past the actual data when trying to parse the file...
CVE-2019-9022
PUBLISHED: 2019-02-22
An issue was discovered in PHP 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.2. dns_get_record misparses a DNS response, which can allow a hostile DNS server to cause PHP to misuse memcpy, leading to read operations going past the buffer allocated for DNS data. This affects php_parser...
CVE-2019-9023
PUBLISHED: 2019-02-22
An issue was discovered in PHP before 5.6.40, 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.1. A number of heap-based buffer over-read instances are present in mbstring regular expression functions when supplied with invalid multibyte data. These occur in ext/mbstring/oniguruma/regcom...