Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
11/21/2016
10:30 AM
Daniel Miessler
Daniel Miessler
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Balancing The Risk & Promise Of The Internet Of Things

You can't defend against something you don't understand. So make sure you consider IoT's risks before embracing its functionality.

Businesses are just starting to realize both the promise and the risk of the Internet of Things (IoT). Some companies are being cautious and careful, but many are embracing the functionality enthusiastically and placing themselves in danger in the process.

It's important to note that the risk from IoT devices varies from company to company. Some have more risk because their IoT systems are connected directly to sensitive systems that can be compromised if there's a problem. Others have IoT systems isolated from business systems but don't realize that compromised IoT devices could still be used to attack others, causing reputation and trust damage.

Right now, businesses are largely in "wait and see" mode. They're not sure how and when to deploy IoT because most of the risks seem both unknown and substantial. There is no one device or type of device that is most at risk, however. For example, hacking an IoT device that stores sensitive data or is linked to an alarm system will have serious and immediate consequences, of course, but just getting onto the network is severe enough, even if that's through an unsuspecting light bulb or coffee machine. The connected nature of these products can create unintentional ports to other sensitive and critical systems, data, and devices. Once attackers have access to the network, they can steal data or damage systems. This is the real objective, regardless of how they get there. 

To put it mathematically, the number of IoT devices being deployed multiplied by the insecurity of those devices multiplied by how hard it is to update them equals some idea of part of the risk that will be presented by IoT devices. The current bandwidth of distributed denial-of-service (DDoS) botnet attacks now exceeds 0.6 to 1 Tbit/s and the industry (in particular, network service providers) are struggling to adapt to the new bandwidth.

Advice for Securing IoT Devices: Know Thy System
The first step in securing IoT devices should be to deeply understand any system that's being considered for deployment. It really comes down to those devices that interact most with business systems and do so in a way that is not well understood by the security team and the business. The key part of protecting IoT systems of this type is understanding what they are, how they connect, and what their capabilities are.

Many IoT systems have a local Web server, a mobile application, listening network ports, and cloud connectivity. Using them normally often involves dozens of connections to third parties. 

These are the issues that businesses need to examine and understand as they roll out IoT. They must first and foremost understand exactly what that IoT system is and all of what it can do. And it's not easy to tell this by listening to the marketing for the product, which can just add more confusion 

Securing IoT devices generally requires an architecture review to fully grasp the various components of an IoT product's ecosystem and how it works, which should be followed by a security review of that architecture. The main risk to businesses from IoT — not fully understood at present — involves rolling out products connected to other business and operational technology systems. There's a concept in security called “Know thy system,” and it has never applied more than with IoT.

Too much of the present focus on risk involves prevention. At some point, we have to look at the other side of the risk equation (that is, risk = probability x impact) and focus on reducing the impact instead of trying to reduce probability.

DDoS botnet attacks are not the only way that IoT might behave badly. We could see attacks on confidentiality through server-side request forgery-based attacks in which criminals will attempt to steal money and data from a vulnerable server, and we'll see possible disruptions of integrity through modification of transaction or polling data. So all three points of the "CIA triad" — confidentiality, integrity, and availability — are really in play, it's just that DDoS is the most obvious and topical at the moment.

The bottom line is: you can't properly defend what you don't fully understand. I expect to hear much more about the possible downside of IoT. DDoS is just the beginning.

Related Content:

Daniel Miessler is director of advisory services with IOActive, and is based out of San Francisco. He has over 17 years of experience in information security, and specializes in application security with specific focus in web and application assessments, and helping ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Charlie Babcock
50%
50%
Charlie Babcock,
User Rank: Ninja
11/28/2016 | 7:37:52 PM
Needed, a machine-learning watchdog
I think IoT will be safe only when each device has a security profile, along with a watchdog, machine learning system knowing its normal activity and investigating whenever it departs from the norm. A rules engine should be available to rule on whether a new activity is allowed or of a suspicious character. There are just too many connections and dependencies within IoT to seal off all possible intruders.  
News
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Commentary
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-3493
PUBLISHED: 2021-04-17
The overlayfs implementation in the linux kernel did not properly validate with respect to user namespaces the setting of file capabilities on files in an underlying file system. Due to the combination of unprivileged user namespaces along with a patch carried in the Ubuntu kernel to allow unprivile...
CVE-2021-3492
PUBLISHED: 2021-04-17
Shiftfs, an out-of-tree stacking file system included in Ubuntu Linux kernels, did not properly handle faults occurring during copy_from_user() correctly. These could lead to either a double-free situation or memory not being freed at all. An attacker could use this to cause a denial of service (ker...
CVE-2020-2509
PUBLISHED: 2021-04-17
A command injection vulnerability has been reported to affect QTS and QuTS hero. If exploited, this vulnerability allows attackers to execute arbitrary commands in a compromised application. We have already fixed this vulnerability in the following versions: QTS 4.5.2.1566 Build 20210202 and later Q...
CVE-2020-36195
PUBLISHED: 2021-04-17
An SQL injection vulnerability has been reported to affect QNAP NAS running Multimedia Console or the Media Streaming add-on. If exploited, the vulnerability allows remote attackers to obtain application information. QNAP has already fixed this vulnerability in the following versions of Multimedia C...
CVE-2021-29445
PUBLISHED: 2021-04-16
jose-node-esm-runtime is an npm package which provides a number of cryptographic functions. In versions prior to 3.11.4 the AES_CBC_HMAC_SHA2 Algorithm (A128CBC-HS256, A192CBC-HS384, A256CBC-HS512) decryption would always execute both HMAC tag verification and CBC decryption, if either failed `JWEDe...