Question: What do I need to know about defending Internet of Things (IoT) attack surfaces?
Bud Broomhead, CEO at Viakoo: There are several reasons why it's critical for organizations to defend their IoT attack surface, most importantly being that IoT devices are powerful systems containing compute, storage, and networking that threat actors view as the easiest way to breach an organization or enable exploits. The attack surface needs to be part of the overall corporate infosec policy unless a specific exemption is given, including policies around firmware patches and using certificates. The impact of not defending the IoT attack surface is massive and tends to fall into two categories. First is realizing that IoT device vulnerabilities are an effective method to breach an organization, and second is preventing IoT devices from being used in broader cyberattacks against multiple organizations.
Let's start with why IoT devices have become a preferred method for cybercriminals to breach an organization. IoT devices are hard to secure, they exist at five to 20 times the scale of IT devices, and they are often physically distributed widely across the organization (neatly contained in data centers). Traditional IT security solutions don't work for IoT because they are often agent-based, and IoT devices do not allow agents to be placed on them due to the devices having unique operating systems and communication protocols.
Not only are there more vulnerabilities impacting IoT devices than traditional IT systems, IoT devices offer a wider set of exploits to a threat actor. For example, man-in-the-middle attacks are essentially a solved problem for IT systems, yet they still can be effective against IoT systems. These are some of the reasons threat actors view IoT as low-hanging fruit in breaching an organization.
Likewise, many IoT devices are deployed and managed by the line of business (such as physical security, facilities, manufacturing, etc.), and may not be visible to the IT organization. Unless an automated solution is used, updating firmware on IoT devices can be slow, meaning that the window of vulnerability is open far longer for IoT than for IT systems. And because many IoT devices use open source software components (a fast-growing method of delivering vulnerabilities), enabling security fixes across a fleet of IoT devices with different makes and models also allows the attack window to be open for much longer than IT. Despite many organizations deploying IoT devices on networks segmented and firewalled away from the corporate network, over time connections to the corporate network happen, leading to IoT devices being a key method of entering an organization, then pivoting to the corporate network (the hacked fish tank in Las Vegas comes to mind).
Another major reason defending the IoT attack surface is a high priority comes from how botnet armies are typically formed using IoT devices (the most famous example being the Mirai botnet, but many other examples exist). These IoT-based botnets deliver a significant amount of spam and phishing attempts (estimates range as high as 90%), which leads directly to planting malware and ransomware and enabling data exfiltration across multiple organizations. Fighting phishing and other attack vectors leads directly to shrinking the IoT attack surface.
I'd like to end on a practical note with a few concrete tips:
- Make sure IoT devices are covered by corporate infosec policies.
- Use IoT discovery and threat-assessment solutions to ensure every IoT device is visible.
- If you have a zero-trust initiative underway, extend it to IoT.
- Use automation for implementing security fixes and documenting all stages of it, both for compliance and management purposes.
The end result should be every IoT device being visible, secure, and performing its function – and a greatly reduced attack surface.