The Internet of Things is riddled with security challenges. Cybercriminals know this too, and have often been quicker to take advantage of vulnerabilities than we have been to fix them. For instance, according to Fortinet's Threat Landscape Report for the second quarter of 2017, 90% of organizations recorded attacks that targeted system and device vulnerabilities that were at least three years old, even though updates and patches had long been available. It's even more alarming that 60% of organizations reported attacks aimed at vulnerabilities that were 10 or more years old.
Today, the billions of online IoT devices present an even more daunting challenge because they generally don't receive the level of control, visibility, and protection that traditional systems receive. Coupled with widespread automation-based attacks, the potential for damage is even greater. Recent developments, outlined below, reveal why it's time to take IoT security seriously.
Smart to Smarter
2016's Mirai malware was the first IoT botnet to lead to an unprecedentedly massive distributed denial-of-service attack. And this year brought us new generations of IoT-based attacks, like Hajime and Poison Ivy, that have multiple toolkits built into them.
Mirai was successful, but it wasn't built to be smart. Hajime is more robust because it's automated. It self-propagates like a ransomworm and is difficult to shut down. Even more alarming is that Hajime is a multivector attack that can target different operating systems and supports multiple payloads and binaries, making it cross-platform.
Hajime also removes firewall rules that allow the device to talk to the Internet service provider. In a worst-case scenario, an attack could cause millions of devices to go dark.
The Dawn of Manufacturer Accountability
Mirai was an IoT cybersecurity wake-up call. We all knew that the IoT was insecure, and this botnet provided a glaring real-world example. As a result, individuals, organizations, and regulatory bodies were motivated to accelerate the process of making IoT vendors accountable for their products.
In January 2017, the Federal Trade Commission took the bold step of filing a lawsuit against an IoT manufacturer. The suit alleges that a global manufacturer of computer networking equipment and other connected devices "made deceptive claims about the security of its products and engaged in unfair practices that put consumers' privacy at risk."
Meanwhile, the US Commerce Department's National Telecommunications and Information Administration has assembled a working group to develop guidance for IoT device manufacturers to better inform consumers about security updates. This group came up with "key elements" that manufacturers should consider conveying to consumers to help them make better-informed purchasing and use decisions. These key elements include whether a device can receive security updates, how it will receive them, and when support for the device would end.
More recently, the Internet of Things Cybersecurity Act of 2017 was introduced into the U.S. Senate as an effort to establish industry-standard protocols and require IoT manufacturers to disclose and update vulnerabilities.
Security updates and standards are only one aspect of imposing IoT cybersecurity and manufacturer accountability, but they're a good start. These developments are a positive sign that the industry and those who regulate it are serious about creating an environment of accountability.
Four Best Practices to Address IoT Security Challenges
Many CSOs ask me, "If you could give me one piece of advice on IoT security, what would it be?" The answer is, "Know your digital assets." You have to attain visibility before implementing protection, because you can't protect what you can't see. Every organization needs a constantly updated inventory of the assets on its network, including services. Risk analysis and security development is then based on the answer to the question, "If that data or service were to go offline, how much would it cost in revenue and damage to the brand?"
With that in mind, here are four recommendations for addressing the IoT's cybersecurity challenges.
First of all, because of advanced threats like Hajime and WannaCry, patch management is essential. WannaCry targeted a vulnerability for which a patch had been available for more than two months. Even worse, Petya followed a few weeks later targeting the exact same vulnerability and still managed to affect millions of devices. Organizations that were spared the effects of these attacks all had a strong cyber-hygiene policy that includes applying patches as soon as they're available.
But physical patching is only part of the solution. There are billions of vulnerable devices out there with no patches in sight. This is where intrusion-prevention systems (IPS) are essential. IPS is a must-have part of your security hygiene strategy because it can provide virtual patching to block hacks and attacks that target IoT and other vulnerable devices.
Second, use redundancy segmentation for your data backups. Scan your backups to make sure they're clean, and make sure that they're segmented off-network. Segmentation will also help protect against ransom-of-service attacks, which we expect to see in the coming year.
Third, focus on visibility. Perimeter defenses alone aren't enough. Once the perimeter has been breached, many organizations have little visibility into what an attacker or malware is doing. It's critical that you start by understanding who your attackers are, become familiar with their techniques, tactics, and procedures, and understand their objectives and motivations. Then drive visibility and control deep into the core of your network and out to its furthermost edges, including remote devices and the cloud. Only then can you intelligently defend your network.
Finally, it's time to tighten up the time to defense. Proactive solutions need to be tied together. You need to take a hard look at your data centers and customer sites for ways to integrate all the different pieces from different providers. Try to reduce that complexity by further integrating devices, consolidating existing security solutions, and automating interoperability between your defense systems. This approach is critical if you want to speed up your time to defense.
Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.Derek Manky formulates security strategy with more than 15 years of cyber security experience behind him. His ultimate goal to make a positive impact in the global war on cybercrime. Manky provides thought leadership to industry, and has presented research and strategy ... View Full Bio