Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
6/7/2017
10:30 AM
Darren Anstee
Darren Anstee
Commentary
Connect Directly
LinkedIn
Twitter
RSS
E-Mail vvv
100%
0%

Balancing the Risks of the Internet of Things

Do the benefits of an Internet-connected coffee maker really outweigh its security issues?

The connected world is here, and the Internet of Things (IoT) promises a plethora of business benefits such as automated services, optimized resource utilization, better green credentials, and so on. But as with all new technologies, there are new risks, and the risk/value balance must be considered.

Everyone is familiar with the distributed denial-of-service (DDoS) attacks that targeted Dyn last year and the significant service outages that resulted. Back in the early '00s, DDoS attacks often were generated by large botnets of compromised workstations because of multiple vulnerabilities and a lack of security awareness. We now have better awareness of security, and operating system vendors have improved the defensive capabilities within their products — yet here we are again with large botnets of small computers causing havoc. 2016 brought IoT botnets to the fore, and we all witnessed how thousands of relatively small, innocuous CCTV cameras and DVRs could be leveraged to generate DDoS attacks at 500 Gbps or greater.

Check out the all-star panels at the 'Understanding Cyber Attackers & Cyber Threats' event June 21 and get an in-depth look at your cyber adversaries. Click here to register. 

Many IoT devices have good connectivity on unmonitored network segments, and enough processing capability to drive a significant volume of DDoS attack traffic. IoT botnets are a key problem and are generating significant numbers of DDoS attacks — not just those that have made the headlines. For example, there were 11,400 attacks launched from specific Mirai botnets over a three-month period from November 2016 to February 2017. Attacks from these botnets are responsible for some of the increased scale and frequency of DDoS activity reported in Arbor Networks’ annual Worldwide Infrastructure Security Report.  

Addressing the Risks
DDoS is just one of the ways bad actors can exploit IoT devices, and as the number of exploitable devices increases, how should we address the risks?

First, we must consider how we can protect our current devices from being compromised and used against us. This is mainly a case of applying sensible security practices, changing passwords, and disabling default services that we don't need. But we should also make sure that we isolate our devices, only allowing them access to the infrastructure they need. For example, lighting systems and printers don't need open access to the Internet. We should also select devices that can be upgraded, from vendors that have a good track record of releasing patches for discovered vulnerabilities. And we should ensure that we have telemetry from the network segments where IoT devices are connected, so that we can identify unusual behaviors.  

Services from ISPs and content delivery networks are also becoming available to help defend our (insecure) IoT devices by effectively intercepting exploits and virtually patching vulnerabilities. These services work by routing traffic to and from the IoT device via the service providers’ protection service, but as with everything, there is a balance. Using a service like this may prevent a device from being compromised, but it introduces a single point of failure for all communications to the device, and any data generated or consumed by the device can now be monitored by the service vendor. There is a benefit, but also a risk.

In addition to protecting our devices as best we can, we also need to ensure that we can deal with the threats that may target us from the IoT botnets that are already out there. DDoS is one of these threats, and it's the primary threat to the availability of the Internet services that many organizations rely upon for day-to-day business continuity. DDoS is a well-understood problem and organizations can defend themselves by using a multilayer DDoS protection strategy. This is considered a best practice and utilizes both an on-premises and cloud or ISP-based component. Arbor's Worldwide Infrastructure Security Report showed that 30% of enterprise organizations adopted this model in 2016, up from 23% in 2015.

IoT botnets aren’t only being used for DDoS, however; we are seeing compromised devices being used as proxies, to hide the true origin of traffic, and for password brute-forcing. Both of these threats should be readily apparent from the network activity of the compromised IoT device, emphasizing the need for telemetry on network segments where IoT devices are connected.

The last and possibly most important way in organizations can combat the IoT threat is by building security into the buying decision around IoT devices and their use cases. There are a number of things to consider here, and the first of those is value vs. risk. Does our coffee machine really need to be "connected"? What value does this really add versus the additional risk it represents? Every connected device is a computer with an operating system and applications that potentially have vulnerabilities we should be managing. We need to consider whether the cost of understanding and managing these vulnerabilities outweighs the value of "connecting" the device.

If an IoT use case passes this first gate, security must then be a secondary key buying criterion. IoT devices have, in many cases, been purchased based on cost and functionality, as appliances, without any consideration of security. This must change. We should consider a vendor's track record. Have its products been found to have vulnerabilities in the past, and, if so, how did it react? Were patches or fixes provided quickly?

If security becomes a buying consideration, then vendors will start to add more security functionality to their products, and this in turn will become easier as the technology within IoT devices matures. Standards such as those proposed by the Thread Group and Open Connectivity Foundation may also help to move things forward.  

Fundamentally, as with everything in life, we need balance. IoT is an enabling technology with many use cases and benefits, but we must acknowledge and manage the risks that come with those benefits.

Related Content:

Darren Anstee has 20 years of experience in pre-sales, consultancy, and support for telecom and security solutions. As Chief Technology Officer at Arbor Networks, Darren works across the research, strategy, and pre-sales aspects of Arbor's traffic monitoring, threat ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Cloud Security Startup Lightspin Emerges From Stealth
Kelly Sheridan, Staff Editor, Dark Reading,  11/24/2020
Look Beyond the 'Big 5' in Cyberattacks
Robert Lemos, Contributing Writer,  11/25/2020
Why Vulnerable Code Is Shipped Knowingly
Chris Eng, Chief Research Officer, Veracode,  11/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: We are really excited about our new two tone authentication system!
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-4126
PUBLISHED: 2020-12-01
HCL iNotes is susceptible to a sensitive cookie exposure vulnerability. This can allow an unauthenticated remote attacker to capture the cookie by intercepting its transmission within an http session. Fixes are available in HCL Domino and iNotes versions 10.0.1 FP6 and 11.0.1 FP2 and later.
CVE-2020-4129
PUBLISHED: 2020-12-01
HCL Domino is susceptible to a lockout policy bypass vulnerability in the LDAP service. An unauthenticated attacker could use this vulnerability to mount a brute force attack against the LDAP service. Fixes are available in HCL Domino versions 9.0.1 FP10 IF6, 10.0.1 FP6 and 11.0.1 FP1 and later.
CVE-2020-9115
PUBLISHED: 2020-12-01
ManageOne versions 6.5.1.1.B010, 6.5.1.1.B020, 6.5.1.1.B030, 6.5.1.1.B040, ,6.5.1.1.B050, 8.0.0 and 8.0.1 have a command injection vulnerability. An attacker with high privileges may exploit this vulnerability through some operations on the plug-in component. Due to insufficient input validation of ...
CVE-2020-9116
PUBLISHED: 2020-12-01
Huawei FusionCompute versions 6.5.1 and 8.0.0 have a command injection vulnerability. An authenticated, remote attacker can craft specific request to exploit this vulnerability. Due to insufficient verification, this could be exploited to cause the attackers to obtain higher privilege.
CVE-2020-14193
PUBLISHED: 2020-11-30
Affected versions of Automation for Jira - Server allowed remote attackers to read and render files as mustache templates in files inside the WEB-INF/classes & <jira-installation>/jira/bin directories via a template injection vulnerability in Jira smart values using mustache partials. The ...