Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

4/14/2016
03:30 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

6 IoT Security Dangers To The Enterprise

Security risks arise as enterprises begin to deploy Internet of Things devices for the business and as employees bring those devices onto the corporate network.

As the Internet of Things (IoT) gradually becomes part of the business function, organizations must remain vigilant about securing these new potential targets.

While some industries are just beginning to introduce IoT into their businesses, the industrial sector -- such as power companies, for example -- have been utilizing IoT for some time now. “They’re the IoT hipster,” says Dave Lewis, global security advocate at Akamai. It’s imperative that their data is accurate and their systems remain up and running, so they need to ensure that their IoT devices remain secure. “If there is blizzard, you do have to worry about a loss of life," says Lewis, were the power systems to fail.

As other sectors implement IoT, Lewis warns against succumbing to the IoT of everything. Internet-connected toaster, anyone?

David Lewis, Akamai
David Lewis, Akamai

“IoT is the new bacon,” says Lewis, who will discuss IoT in the Securing the Internet of Broken Things session at Interop Las Vegas next month. Enterprise employees, IT departments, and office managers, should first pause and ask themselves: "Do I really need to plug this in?" before connecting different IoT devices to the network. More devices equal more endpoints to secure.

Organizations that already have a weak infrastructure must remain extra cautious, Lewis says. “As security debt builds up, adding IoT devices into the enterprise expands the attack surface.” 

Here's a look at six of the biggest threats IoT devices can bring to the enterprise: 

1.     Domain Name System (DNS) attacks to enterprise infrastructure 

DNS attacks to the enterprise infrastructure can cause DNS poisoning and hijacking. Enterprises need to pay special attention to these threats as they add IoT devices to the network.

Say you have a company called Widget Co., says Lewis, and Widget Co. has an IoT device. An attacker can render that device useless through a DNS attack. If the device that goes down is a product like Revolv, a smart hub recently purchased by Google that allows you to sync up your smart home devices, you’re going to have a nasty ripple effect on your hands, he notes. 

In order to prevent cybercriminals from using IoT devices to launch DNS attacks, enterprises need to properly maintain and patch their servers and invest in DNS infrastructure that can scale in the face of an increased traffic load, says Lewis.   

2.     Employees bring IoT devices into the network 

It’s possible to secure enterprise IoT, but what about all of those connected devices that employees are tinkering away at on the network, aka the "BYOIoT?"

Fitbits, smartwatches, and other IoT devices have already made their way onto the enterprise network scene, and making sure the network doesn’t go down and confidential data isn’t leaked due to a compromised connected device is something enterprises also need to think about. 

The age of restricted device usage is over. “Anything that is deployed, you have to be able to manage it,” says Lewis. But at the same time, you don’t [have} users just plugging anything into the network: organizations should deploy WiFi networks that are separate and specifically for employee devices and guest use. 

“The data is the perimeter,” says Lewis. Give employees the connectivity they want while protecting the organization, he says.

3.     Exposed APIs 

Exposed application programming interfaces (APIs) are a very serious threat to an enterprise utilizing IoT. If an organization has undocumented features of their API, or if someone is rolling out an API and they don’t have it properly documented or controlled, people will take advantage, says Lewis, adding that it’s “just one more avenue for an attacker to cause mischief.” 

When it comes to writing APIs, enterprises need to have checks and balances in place to ensure that they’re not opening themselves up to threats. 

4.     Device software gives itself too many permissions 

Organizations need to be diligent about carefully reviewing both the IoT software they’re creating and deploying on their networks. 

It’s possible that IoT software is giving itself too many permissions, says Lewis, leaving it open for attackers to leverage, or worse automate it. “This could lead to escalated access within an enterprise, data breaches, and so forth,” he warns. 

“People can/do install the software on their work systems,” Lewis says. And the software used by exercise tracking devices that you wear on your wrist to monitor your progress often has the same level of security that the IoT device has, which could be too little for the enterprise.

Devise a solid strategy for managing laptops and other devices on which software can be installed and figure out whether or not you want users to be able to install their own applications on these systems. 

5.     An influx in the volume of data 

When enterprises invest in IoT, it often comes with a sudden influx in data being collected and produced. Before deploying IoT devices, consider this: Can the network handle the volume of data they will produce, where will you store the data, and "are you going to end up in denial of service because of your own success?” says Lewis. 

Don’t get stuck cleaning up the data influx mess after it’s happened. Plan for scale, says Lewis, and be able to address future storage needs. 

6.     Legality of storing IoT data 

Then there's the question of whether you're legally allowed to store that data you’ve just created. “Germany has very strict privacy laws … that other countries don’t,” for example, says Lewis. So it’s important to take into account who you’re gathering data from, where they are, and if it’s legal to store that information. 

If you’re in the healthcare industry and you have an IoT device to manage your patients, “that data is very much subject to privacy regulations,” he says. 

Enterprises need to work with their legal departments to ensure that the data that they’re storing is not running afoul of data retention laws in the jurisdictions in which they operate, says Lewis.

Related Content:

 

 

Gain insight into the latest threats and emerging best practices for managing them. Attend the Security Track at Interop Las Vegas, May 2-6. Register now!

 

Emily Johnson is the digital content editor for InformationWeek. Prior to this role, Emily worked within UBM America's technology group as an associate editor on their content marketing team. Emily started her career at UBM in 2011 and spent four and a half years in content ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
FluBot Malware's Rapid Spread May Soon Hit US Phones
Kelly Sheridan, Staff Editor, Dark Reading,  4/28/2021
Slideshows
7 Modern-Day Cybersecurity Realities
Steve Zurier, Contributing Writer,  4/30/2021
Commentary
How to Secure Employees' Home Wi-Fi Networks
Bert Kashyap, CEO and Co-Founder at SecureW2,  4/28/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-36124
PUBLISHED: 2021-05-07
Pax Technology PAXSTORE v7.0.8_20200511171508 and lower is affected by XML External Entity (XXE) injection. An authenticated attacker can compromise the private keys of a JWT token and reuse them to manipulate the access tokens to access the platform as any desired user (clients and administrators).
CVE-2020-36125
PUBLISHED: 2021-05-07
Pax Technology PAXSTORE v7.0.8_20200511171508 and lower is affected by incorrect access control where password revalidation in sensitive operations can be bypassed remotely by an authenticated attacker through requesting the endpoint directly.
CVE-2020-36126
PUBLISHED: 2021-05-07
Pax Technology PAXSTORE v7.0.8_20200511171508 and lower is affected by incorrect access control that can lead to remote privilege escalation. PAXSTORE marketplace endpoints allow an authenticated user to read and write data not owned by them, including third-party users, application and payment term...
CVE-2020-36127
PUBLISHED: 2021-05-07
Pax Technology PAXSTORE v7.0.8_20200511171508 and lower is affected by an information disclosure vulnerability. Through the PUK signature functionality, an administrator will not have access to the current p12 certificate and password. When accessing this functionality, the administrator has the opt...
CVE-2020-36128
PUBLISHED: 2021-05-07
Pax Technology PAXSTORE v7.0.8_20200511171508 and lower is affected by a token spoofing vulnerability. Each payment terminal has a session token (called X-Terminal-Token) to access the marketplace. This allows the store to identify the terminal and make available the applications distributed by its ...