IoT
6/7/2017
10:30 AM
Darren Anstee
Darren Anstee
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

Balancing the Risks of the Internet of Things

Do the benefits of an Internet-connected coffee maker really outweigh its security issues?

The connected world is here, and the Internet of Things (IoT) promises a plethora of business benefits such as automated services, optimized resource utilization, better green credentials, and so on. But as with all new technologies, there are new risks, and the risk/value balance must be considered.

Everyone is familiar with the distributed denial-of-service (DDoS) attacks that targeted Dyn last year and the significant service outages that resulted. Back in the early '00s, DDoS attacks often were generated by large botnets of compromised workstations because of multiple vulnerabilities and a lack of security awareness. We now have better awareness of security, and operating system vendors have improved the defensive capabilities within their products — yet here we are again with large botnets of small computers causing havoc. 2016 brought IoT botnets to the fore, and we all witnessed how thousands of relatively small, innocuous CCTV cameras and DVRs could be leveraged to generate DDoS attacks at 500 Gbps or greater.

Check out the all-star panels at the 'Understanding Cyber Attackers & Cyber Threats' event June 21 and get an in-depth look at your cyber adversaries. Click here to register. 

Many IoT devices have good connectivity on unmonitored network segments, and enough processing capability to drive a significant volume of DDoS attack traffic. IoT botnets are a key problem and are generating significant numbers of DDoS attacks — not just those that have made the headlines. For example, there were 11,400 attacks launched from specific Mirai botnets over a three-month period from November 2016 to February 2017. Attacks from these botnets are responsible for some of the increased scale and frequency of DDoS activity reported in Arbor Networks’ annual Worldwide Infrastructure Security Report.  

Addressing the Risks
DDoS is just one of the ways bad actors can exploit IoT devices, and as the number of exploitable devices increases, how should we address the risks?

First, we must consider how we can protect our current devices from being compromised and used against us. This is mainly a case of applying sensible security practices, changing passwords, and disabling default services that we don't need. But we should also make sure that we isolate our devices, only allowing them access to the infrastructure they need. For example, lighting systems and printers don't need open access to the Internet. We should also select devices that can be upgraded, from vendors that have a good track record of releasing patches for discovered vulnerabilities. And we should ensure that we have telemetry from the network segments where IoT devices are connected, so that we can identify unusual behaviors.  

Services from ISPs and content delivery networks are also becoming available to help defend our (insecure) IoT devices by effectively intercepting exploits and virtually patching vulnerabilities. These services work by routing traffic to and from the IoT device via the service providers’ protection service, but as with everything, there is a balance. Using a service like this may prevent a device from being compromised, but it introduces a single point of failure for all communications to the device, and any data generated or consumed by the device can now be monitored by the service vendor. There is a benefit, but also a risk.

In addition to protecting our devices as best we can, we also need to ensure that we can deal with the threats that may target us from the IoT botnets that are already out there. DDoS is one of these threats, and it's the primary threat to the availability of the Internet services that many organizations rely upon for day-to-day business continuity. DDoS is a well-understood problem and organizations can defend themselves by using a multilayer DDoS protection strategy. This is considered a best practice and utilizes both an on-premises and cloud or ISP-based component. Arbor's Worldwide Infrastructure Security Report showed that 30% of enterprise organizations adopted this model in 2016, up from 23% in 2015.

IoT botnets aren’t only being used for DDoS, however; we are seeing compromised devices being used as proxies, to hide the true origin of traffic, and for password brute-forcing. Both of these threats should be readily apparent from the network activity of the compromised IoT device, emphasizing the need for telemetry on network segments where IoT devices are connected.

The last and possibly most important way in organizations can combat the IoT threat is by building security into the buying decision around IoT devices and their use cases. There are a number of things to consider here, and the first of those is value vs. risk. Does our coffee machine really need to be "connected"? What value does this really add versus the additional risk it represents? Every connected device is a computer with an operating system and applications that potentially have vulnerabilities we should be managing. We need to consider whether the cost of understanding and managing these vulnerabilities outweighs the value of "connecting" the device.

If an IoT use case passes this first gate, security must then be a secondary key buying criterion. IoT devices have, in many cases, been purchased based on cost and functionality, as appliances, without any consideration of security. This must change. We should consider a vendor's track record. Have its products been found to have vulnerabilities in the past, and, if so, how did it react? Were patches or fixes provided quickly?

If security becomes a buying consideration, then vendors will start to add more security functionality to their products, and this in turn will become easier as the technology within IoT devices matures. Standards such as those proposed by the Thread Group and Open Connectivity Foundation may also help to move things forward.  

Fundamentally, as with everything in life, we need balance. IoT is an enabling technology with many use cases and benefits, but we must acknowledge and manage the risks that come with those benefits.

Related Content:

Darren Anstee has 20 years of experience in pre-sales, consultancy, and support for telecom and security solutions. As Chief Technology Officer at Arbor Networks, Darren works across the research, strategy, and pre-sales aspects of Arbor's traffic monitoring, threat ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
The Year in Security 2018
This Dark Reading Tech Digest explores the biggest news stories of 2018 that shaped the cybersecurity landscape.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-20735
PUBLISHED: 2019-01-17
** DISPUTED ** An issue was discovered in BMC PATROL Agent through 11.3.01. It was found that the PatrolCli application can allow for lateral movement and escalation of privilege inside a Windows Active Directory environment. It was found that by default the PatrolCli / PATROL Agent application only...
CVE-2019-0624
PUBLISHED: 2019-01-17
A spoofing vulnerability exists when a Skype for Business 2015 server does not properly sanitize a specially crafted request, aka "Skype for Business 2015 Spoofing Vulnerability." This affects Skype.
CVE-2019-0646
PUBLISHED: 2019-01-17
A Cross-site Scripting (XSS) vulnerability exists when Team Foundation Server does not properly sanitize user provided input, aka "Team Foundation Server Cross-site Scripting Vulnerability." This affects Team.
CVE-2019-0647
PUBLISHED: 2019-01-17
An information disclosure vulnerability exists when Team Foundation Server does not properly handle variables marked as secret, aka "Team Foundation Server Information Disclosure Vulnerability." This affects Team.
CVE-2018-20727
PUBLISHED: 2019-01-17
Multiple command injection vulnerabilities in NeDi before 1.7Cp3 allow authenticated users to execute code on the server side via the flt parameter to Nodes-Traffic.php, the dv parameter to Devices-Graph.php, or the tit parameter to drawmap.php.