IoT
6/7/2017
10:30 AM
Darren Anstee
Darren Anstee
Commentary
Connect Directly
LinkedIn
Twitter
RSS
E-Mail vvv
100%
0%

Balancing the Risks of the Internet of Things

Do the benefits of an Internet-connected coffee maker really outweigh its security issues?

The connected world is here, and the Internet of Things (IoT) promises a plethora of business benefits such as automated services, optimized resource utilization, better green credentials, and so on. But as with all new technologies, there are new risks, and the risk/value balance must be considered.

Everyone is familiar with the distributed denial-of-service (DDoS) attacks that targeted Dyn last year and the significant service outages that resulted. Back in the early '00s, DDoS attacks often were generated by large botnets of compromised workstations because of multiple vulnerabilities and a lack of security awareness. We now have better awareness of security, and operating system vendors have improved the defensive capabilities within their products — yet here we are again with large botnets of small computers causing havoc. 2016 brought IoT botnets to the fore, and we all witnessed how thousands of relatively small, innocuous CCTV cameras and DVRs could be leveraged to generate DDoS attacks at 500 Gbps or greater.

Check out the all-star panels at the 'Understanding Cyber Attackers & Cyber Threats' event June 21 and get an in-depth look at your cyber adversaries. Click here to register. 

Many IoT devices have good connectivity on unmonitored network segments, and enough processing capability to drive a significant volume of DDoS attack traffic. IoT botnets are a key problem and are generating significant numbers of DDoS attacks — not just those that have made the headlines. For example, there were 11,400 attacks launched from specific Mirai botnets over a three-month period from November 2016 to February 2017. Attacks from these botnets are responsible for some of the increased scale and frequency of DDoS activity reported in Arbor Networks’ annual Worldwide Infrastructure Security Report.  

Addressing the Risks
DDoS is just one of the ways bad actors can exploit IoT devices, and as the number of exploitable devices increases, how should we address the risks?

First, we must consider how we can protect our current devices from being compromised and used against us. This is mainly a case of applying sensible security practices, changing passwords, and disabling default services that we don't need. But we should also make sure that we isolate our devices, only allowing them access to the infrastructure they need. For example, lighting systems and printers don't need open access to the Internet. We should also select devices that can be upgraded, from vendors that have a good track record of releasing patches for discovered vulnerabilities. And we should ensure that we have telemetry from the network segments where IoT devices are connected, so that we can identify unusual behaviors.  

Services from ISPs and content delivery networks are also becoming available to help defend our (insecure) IoT devices by effectively intercepting exploits and virtually patching vulnerabilities. These services work by routing traffic to and from the IoT device via the service providers’ protection service, but as with everything, there is a balance. Using a service like this may prevent a device from being compromised, but it introduces a single point of failure for all communications to the device, and any data generated or consumed by the device can now be monitored by the service vendor. There is a benefit, but also a risk.

In addition to protecting our devices as best we can, we also need to ensure that we can deal with the threats that may target us from the IoT botnets that are already out there. DDoS is one of these threats, and it's the primary threat to the availability of the Internet services that many organizations rely upon for day-to-day business continuity. DDoS is a well-understood problem and organizations can defend themselves by using a multilayer DDoS protection strategy. This is considered a best practice and utilizes both an on-premises and cloud or ISP-based component. Arbor's Worldwide Infrastructure Security Report showed that 30% of enterprise organizations adopted this model in 2016, up from 23% in 2015.

IoT botnets aren’t only being used for DDoS, however; we are seeing compromised devices being used as proxies, to hide the true origin of traffic, and for password brute-forcing. Both of these threats should be readily apparent from the network activity of the compromised IoT device, emphasizing the need for telemetry on network segments where IoT devices are connected.

The last and possibly most important way in organizations can combat the IoT threat is by building security into the buying decision around IoT devices and their use cases. There are a number of things to consider here, and the first of those is value vs. risk. Does our coffee machine really need to be "connected"? What value does this really add versus the additional risk it represents? Every connected device is a computer with an operating system and applications that potentially have vulnerabilities we should be managing. We need to consider whether the cost of understanding and managing these vulnerabilities outweighs the value of "connecting" the device.

If an IoT use case passes this first gate, security must then be a secondary key buying criterion. IoT devices have, in many cases, been purchased based on cost and functionality, as appliances, without any consideration of security. This must change. We should consider a vendor's track record. Have its products been found to have vulnerabilities in the past, and, if so, how did it react? Were patches or fixes provided quickly?

If security becomes a buying consideration, then vendors will start to add more security functionality to their products, and this in turn will become easier as the technology within IoT devices matures. Standards such as those proposed by the Thread Group and Open Connectivity Foundation may also help to move things forward.  

Fundamentally, as with everything in life, we need balance. IoT is an enabling technology with many use cases and benefits, but we must acknowledge and manage the risks that come with those benefits.

Related Content:

Darren Anstee has 20 years of experience in pre-sales, consultancy, and support for telecom and security solutions. As Chief Technology Officer at Arbor Networks, Darren works across the research, strategy, and pre-sales aspects of Arbor's traffic monitoring, threat ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Equifax CIO, CSO Step Down
Dark Reading Staff 9/15/2017
Cloud Security's Shared Responsibility Is Foggy
Ben Johnson, Co-founder and CTO, Obsidian Security,  9/14/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
Enterprises are spending more of their IT budgets on cybersecurity technology. How do your organization's security plans and strategies compare to what others are doing? Here's an in-depth look.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.