Endpoint

9/20/2017
10:00 AM
Derek Manky
Derek Manky
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

Get Serious about IoT Security

These four best practices will help safeguard your organization in the Internet of Things.

The Internet of Things is riddled with security challenges. Cybercriminals know this too, and have often been quicker to take advantage of vulnerabilities than we have been to fix them. For instance, according to Fortinet's Threat Landscape Report for the second quarter of 2017, 90% of organizations recorded attacks that targeted system and device vulnerabilities that were at least three years old, even though updates and patches had long been available. It's even more alarming that 60% of organizations reported attacks aimed at vulnerabilities that were 10 or more years old.

Today, the billions of online IoT devices present an even more daunting challenge because they generally don't receive the level of control, visibility, and protection that traditional systems receive. Coupled with widespread automation-based attacks, the potential for damage is even greater. Recent developments, outlined below, reveal why it's time to take IoT security seriously.

Smart to Smarter
2016's Mirai malware was the first IoT botnet to lead to an unprecedentedly massive distributed denial-of-service attack. And this year brought us new generations of IoT-based attacks, like Hajime and Poison Ivy, that have multiple toolkits built into them.

Mirai was successful, but it wasn't built to be smart. Hajime is more robust because it's automated. It self-propagates like a ransomworm and is difficult to shut down. Even more alarming is that Hajime is a multivector attack that can target different operating systems and supports multiple payloads and binaries, making it cross-platform.

Hajime also removes firewall rules that allow the device to talk to the Internet service provider. In a worst-case scenario, an attack could cause millions of devices to go dark.

The Dawn of Manufacturer Accountability
Mirai was an IoT cybersecurity wake-up call. We all knew that the IoT was insecure, and this botnet provided a glaring real-world example. As a result, individuals, organizations, and regulatory bodies were motivated to accelerate the process of making IoT vendors accountable for their products.

In January 2017, the Federal Trade Commission took the bold step of filing a lawsuit against an IoT manufacturer. The suit alleges that a global manufacturer of computer networking equipment and other connected devices "made deceptive claims about the security of its products and engaged in unfair practices that put consumers' privacy at risk."

Meanwhile, the US Commerce Department's National Telecommunications and Information Administration has assembled a working group to develop guidance for IoT device manufacturers to better inform consumers about security updates. This group came up with "key elements" that manufacturers should consider conveying to consumers to help them make better-informed purchasing and use decisions. These key elements include whether a device can receive security updates, how it will receive them, and when support for the device would end.

More recently, the Internet of Things Cybersecurity Act of 2017 was introduced into the U.S. Senate as an effort to establish industry-standard protocols and require IoT manufacturers to disclose and update vulnerabilities.

Security updates and standards are only one aspect of imposing IoT cybersecurity and manufacturer accountability, but they're a good start. These developments are a positive sign that the industry and those who regulate it are serious about creating an environment of accountability.

Four Best Practices to Address IoT Security Challenges
Many CSOs ask me, "If you could give me one piece of advice on IoT security, what would it be?" The answer is, "Know your digital assets." You have to attain visibility before implementing protection, because you can't protect what you can't see. Every organization needs a constantly updated inventory of the assets on its network, including services. Risk analysis and security development is then based on the answer to the question, "If that data or service were to go offline, how much would it cost in revenue and damage to the brand?"

With that in mind, here are four recommendations for addressing the IoT's cybersecurity challenges.

First of all, because of advanced threats like Hajime and WannaCry, patch management is essential. WannaCry targeted a vulnerability for which a patch had been available for more than two months. Even worse, Petya followed a few weeks later targeting the exact same vulnerability and still managed to affect millions of devices. Organizations that were spared the effects of these attacks all had a strong cyber-hygiene policy that includes applying patches as soon as they're available.

But physical patching is only part of the solution. There are billions of vulnerable devices out there with no patches in sight. This is where intrusion-prevention systems (IPS) are essential. IPS is a must-have part of your security hygiene strategy because it can provide virtual patching to block hacks and attacks that target IoT and other vulnerable devices.

Second, use redundancy segmentation for your data backups. Scan your backups to make sure they're clean, and make sure that they're segmented off-network. Segmentation will also help protect against ransom-of-service attacks, which we expect to see in the coming year.

Third, focus on visibility. Perimeter defenses alone aren't enough. Once the perimeter has been breached, many organizations have little visibility into what an attacker or malware is doing. It's critical that you start by understanding who your attackers are, become familiar with their techniques, tactics, and procedures, and understand their objectives and motivations. Then drive visibility and control deep into the core of your network and out to its furthermost edges, including remote devices and the cloud. Only then can you intelligently defend your network.

Finally, it's time to tighten up the time to defense. Proactive solutions need to be tied together. You need to take a hard look at your data centers and customer sites for ways to integrate all the different pieces from different providers. Try to reduce that complexity by further integrating devices, consolidating existing security solutions, and automating interoperability between your defense systems. This approach is critical if you want to speed up your time to defense.

Related Content:

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Derek Manky formulates security strategy with more than 15 years of cyber security experience behind him. His ultimate goal to make a positive impact in the global war on cybercrime. Manky provides thought leadership to industry, and has presented research and strategy ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
ademarr
50%
50%
ademarr,
User Rank: Apprentice
9/27/2017 | 8:39:55 AM
CompTIA exam dumps
Braindumpskey's CompTIA modules are very simple and anyone can understand them easily. The company believes in details described in a brief way. The CAS-002 Dumps [https://www.braindumpskey.com/exam/CAS-002.html] practice modules are available as software, and as CAS-002 PDF [https://www.braindumpskey.com/exam/CAS-002.html] that's easy to read.
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
9/20/2017 | 2:33:30 PM
Re: Of interest
Politics aside, good reason to disable that on a "pacemaker" --- my defib is a close cousin but not so much of a threat in that regard.  Still, shows the significance above on a wireless pacemarker as an IoT device used in important public people.  
cybersavior
50%
50%
cybersavior,
User Rank: Strategist
9/20/2017 | 2:19:53 PM
Re: Of interest
That is precisely why doctors disabled the wireless function in Dick Cheney's pacemaker.  To thwart hackers killing him.
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
9/20/2017 | 1:50:59 PM
Of interest
I have a wireless defibulator inside of me - made by Boston Scientific.  Ir regularly posts condition status to a wireless receiver in my kitchen attached to a phone.  Seems simple enough but consider this as an IoT device, i wonder just what related data is transmitted and what can be associated with it upon reception.  One has to trust that somewhere in Emory Hospital the walls are rather well up (one never knows) but .,,,,, so long as a hacker does not turn me OFF????
Printers: The Weak Link in Enterprise Security
Kelly Sheridan, Associate Editor, Dark Reading,  10/16/2017
20 Questions to Ask Yourself before Giving a Security Conference Talk
Joshua Goldfarb, Co-founder & Chief Product Officer, IDDRA,  10/16/2017
Why Security Leaders Can't Afford to Be Just 'Left-Brained'
Bill Bradley, SVP, Cyber Engineering and Technical Services, CenturyLink,  10/17/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
Enterprises are spending more of their IT budgets on cybersecurity technology. How do your organization's security plans and strategies compare to what others are doing? Here's an in-depth look.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.