IoT
11/21/2016
10:30 AM
Daniel Miessler
Daniel Miessler
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Balancing The Risk & Promise Of The Internet Of Things

You can't defend against something you don't understand. So make sure you consider IoT's risks before embracing its functionality.

Businesses are just starting to realize both the promise and the risk of the Internet of Things (IoT). Some companies are being cautious and careful, but many are embracing the functionality enthusiastically and placing themselves in danger in the process.

It's important to note that the risk from IoT devices varies from company to company. Some have more risk because their IoT systems are connected directly to sensitive systems that can be compromised if there's a problem. Others have IoT systems isolated from business systems but don't realize that compromised IoT devices could still be used to attack others, causing reputation and trust damage.

Right now, businesses are largely in "wait and see" mode. They're not sure how and when to deploy IoT because most of the risks seem both unknown and substantial. There is no one device or type of device that is most at risk, however. For example, hacking an IoT device that stores sensitive data or is linked to an alarm system will have serious and immediate consequences, of course, but just getting onto the network is severe enough, even if that's through an unsuspecting light bulb or coffee machine. The connected nature of these products can create unintentional ports to other sensitive and critical systems, data, and devices. Once attackers have access to the network, they can steal data or damage systems. This is the real objective, regardless of how they get there. 

To put it mathematically, the number of IoT devices being deployed multiplied by the insecurity of those devices multiplied by how hard it is to update them equals some idea of part of the risk that will be presented by IoT devices. The current bandwidth of distributed denial-of-service (DDoS) botnet attacks now exceeds 0.6 to 1 Tbit/s and the industry (in particular, network service providers) are struggling to adapt to the new bandwidth.

Advice for Securing IoT Devices: Know Thy System
The first step in securing IoT devices should be to deeply understand any system that's being considered for deployment. It really comes down to those devices that interact most with business systems and do so in a way that is not well understood by the security team and the business. The key part of protecting IoT systems of this type is understanding what they are, how they connect, and what their capabilities are.

Many IoT systems have a local Web server, a mobile application, listening network ports, and cloud connectivity. Using them normally often involves dozens of connections to third parties. 

These are the issues that businesses need to examine and understand as they roll out IoT. They must first and foremost understand exactly what that IoT system is and all of what it can do. And it's not easy to tell this by listening to the marketing for the product, which can just add more confusion 

Securing IoT devices generally requires an architecture review to fully grasp the various components of an IoT product's ecosystem and how it works, which should be followed by a security review of that architecture. The main risk to businesses from IoT — not fully understood at present — involves rolling out products connected to other business and operational technology systems. There's a concept in security called “Know thy system,” and it has never applied more than with IoT.

Too much of the present focus on risk involves prevention. At some point, we have to look at the other side of the risk equation (that is, risk = probability x impact) and focus on reducing the impact instead of trying to reduce probability.

DDoS botnet attacks are not the only way that IoT might behave badly. We could see attacks on confidentiality through server-side request forgery-based attacks in which criminals will attempt to steal money and data from a vulnerable server, and we'll see possible disruptions of integrity through modification of transaction or polling data. So all three points of the "CIA triad" — confidentiality, integrity, and availability — are really in play, it's just that DDoS is the most obvious and topical at the moment.

The bottom line is: you can't properly defend what you don't fully understand. I expect to hear much more about the possible downside of IoT. DDoS is just the beginning.

Related Content:

Daniel Miessler is director of advisory services with IOActive, and is based out of San Francisco. He has over 17 years of experience in information security, and specializes in application security with specific focus in web and application assessments, and helping ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Charlie Babcock
50%
50%
Charlie Babcock,
User Rank: Ninja
11/28/2016 | 7:37:52 PM
Needed, a machine-learning watchdog
I think IoT will be safe only when each device has a security profile, along with a watchdog, machine learning system knowing its normal activity and investigating whenever it departs from the norm. A rules engine should be available to rule on whether a new activity is allowed or of a suspicious character. There are just too many connections and dependencies within IoT to seal off all possible intruders.  
'PowerSnitch' Hacks Androids via Power Banks
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/8/2018
Windows 10 Security Questions Prove Easy for Attackers to Exploit
Kelly Sheridan, Staff Editor, Dark Reading,  12/5/2018
Starwood Breach Reaction Focuses on 4-Year Dwell
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/5/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: I guess this answers the question: who's watching the watchers?
Current Issue
10 Best Practices That Could Reshape Your IT Security Department
This Dark Reading Tech Digest, explores ten best practices that could reshape IT security departments.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-20029
PUBLISHED: 2018-12-10
The nxfs.sys driver in the DokanFS library 0.6.0 in NoMachine before 6.4.6 on Windows 10 allows local users to cause a denial of service (BSOD) because uninitialized memory can be read.
CVE-2018-1279
PUBLISHED: 2018-12-10
Pivotal RabbitMQ for PCF, all versions, uses a deterministically generated cookie that is shared between all machines when configured in a multi-tenant cluster. A remote attacker who can gain information about the network topology can guess this cookie and, if they have access to the right ports on ...
CVE-2018-15800
PUBLISHED: 2018-12-10
Cloud Foundry Bits Service, versions prior to 2.18.0, includes an information disclosure vulnerability. A remote malicious user may execute a timing attack to brute-force the signing key, allowing them complete read and write access to the the Bits Service storage.
CVE-2018-15805
PUBLISHED: 2018-12-10
Accusoft PrizmDoc HTML5 Document Viewer before 13.5 contains an XML external entity (XXE) vulnerability, allowing an attacker to read arbitrary files or cause a denial of service (resource consumption).
CVE-2018-16635
PUBLISHED: 2018-12-10
Blackcat CMS 1.3.2 allows XSS via the willkommen.php?lang=DE page title at backend/pages/modify.php.