Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
11/21/2016
10:30 AM
Daniel Miessler
Daniel Miessler
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Balancing The Risk & Promise Of The Internet Of Things

You can't defend against something you don't understand. So make sure you consider IoT's risks before embracing its functionality.

Businesses are just starting to realize both the promise and the risk of the Internet of Things (IoT). Some companies are being cautious and careful, but many are embracing the functionality enthusiastically and placing themselves in danger in the process.

It's important to note that the risk from IoT devices varies from company to company. Some have more risk because their IoT systems are connected directly to sensitive systems that can be compromised if there's a problem. Others have IoT systems isolated from business systems but don't realize that compromised IoT devices could still be used to attack others, causing reputation and trust damage.

Right now, businesses are largely in "wait and see" mode. They're not sure how and when to deploy IoT because most of the risks seem both unknown and substantial. There is no one device or type of device that is most at risk, however. For example, hacking an IoT device that stores sensitive data or is linked to an alarm system will have serious and immediate consequences, of course, but just getting onto the network is severe enough, even if that's through an unsuspecting light bulb or coffee machine. The connected nature of these products can create unintentional ports to other sensitive and critical systems, data, and devices. Once attackers have access to the network, they can steal data or damage systems. This is the real objective, regardless of how they get there. 

To put it mathematically, the number of IoT devices being deployed multiplied by the insecurity of those devices multiplied by how hard it is to update them equals some idea of part of the risk that will be presented by IoT devices. The current bandwidth of distributed denial-of-service (DDoS) botnet attacks now exceeds 0.6 to 1 Tbit/s and the industry (in particular, network service providers) are struggling to adapt to the new bandwidth.

Advice for Securing IoT Devices: Know Thy System
The first step in securing IoT devices should be to deeply understand any system that's being considered for deployment. It really comes down to those devices that interact most with business systems and do so in a way that is not well understood by the security team and the business. The key part of protecting IoT systems of this type is understanding what they are, how they connect, and what their capabilities are.

Many IoT systems have a local Web server, a mobile application, listening network ports, and cloud connectivity. Using them normally often involves dozens of connections to third parties. 

These are the issues that businesses need to examine and understand as they roll out IoT. They must first and foremost understand exactly what that IoT system is and all of what it can do. And it's not easy to tell this by listening to the marketing for the product, which can just add more confusion 

Securing IoT devices generally requires an architecture review to fully grasp the various components of an IoT product's ecosystem and how it works, which should be followed by a security review of that architecture. The main risk to businesses from IoT — not fully understood at present — involves rolling out products connected to other business and operational technology systems. There's a concept in security called “Know thy system,” and it has never applied more than with IoT.

Too much of the present focus on risk involves prevention. At some point, we have to look at the other side of the risk equation (that is, risk = probability x impact) and focus on reducing the impact instead of trying to reduce probability.

DDoS botnet attacks are not the only way that IoT might behave badly. We could see attacks on confidentiality through server-side request forgery-based attacks in which criminals will attempt to steal money and data from a vulnerable server, and we'll see possible disruptions of integrity through modification of transaction or polling data. So all three points of the "CIA triad" — confidentiality, integrity, and availability — are really in play, it's just that DDoS is the most obvious and topical at the moment.

The bottom line is: you can't properly defend what you don't fully understand. I expect to hear much more about the possible downside of IoT. DDoS is just the beginning.

Related Content:

Daniel Miessler is director of advisory services with IOActive, and is based out of San Francisco. He has over 17 years of experience in information security, and specializes in application security with specific focus in web and application assessments, and helping ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Charlie Babcock
50%
50%
Charlie Babcock,
User Rank: Ninja
11/28/2016 | 7:37:52 PM
Needed, a machine-learning watchdog
I think IoT will be safe only when each device has a security profile, along with a watchdog, machine learning system knowing its normal activity and investigating whenever it departs from the norm. A rules engine should be available to rule on whether a new activity is allowed or of a suspicious character. There are just too many connections and dependencies within IoT to seal off all possible intruders.  
COVID-19: Latest Security News & Commentary
Dark Reading Staff 6/1/2020
Stay-at-Home Orders Coincide With Massive DNS Surge
Robert Lemos, Contributing Writer,  5/27/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-13775
PUBLISHED: 2020-06-02
ZNC before 1.8.1-rc1 allows attackers to trigger an application crash (with a NULL pointer dereference) if echo-message is not enabled and there is no network.
CVE-2020-12607
PUBLISHED: 2020-06-02
An issue was discovered in fastecdsa before 2.1.2. When using the NIST P-256 curve in the ECDSA implementation, the point at infinity is mishandled. This means that for an extreme value in k and s^-1, the signature verification fails even if the signature is correct. This behavior is not solely a us...
CVE-2020-13764
PUBLISHED: 2020-06-02
common.php in the Gravity Forms plugin before 2.4.9 for WordPress can leak hashed passwords because user_pass is not considered a special case for a $current_user->get($property) call.
CVE-2020-13760
PUBLISHED: 2020-06-02
In Joomla! before 3.9.19, missing token checks in com_postinstall lead to CSRF.
CVE-2020-13761
PUBLISHED: 2020-06-02
In Joomla! before 3.9.19, lack of input validation in the heading tag option of the "Articles - Newsflash" and "Articles - Categories" modules allows XSS.