Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
6/7/2017
10:30 AM
Darren Anstee
Darren Anstee
Commentary
Connect Directly
LinkedIn
Twitter
RSS
E-Mail vvv
100%
0%

Balancing the Risks of the Internet of Things

Do the benefits of an Internet-connected coffee maker really outweigh its security issues?

The connected world is here, and the Internet of Things (IoT) promises a plethora of business benefits such as automated services, optimized resource utilization, better green credentials, and so on. But as with all new technologies, there are new risks, and the risk/value balance must be considered.

Everyone is familiar with the distributed denial-of-service (DDoS) attacks that targeted Dyn last year and the significant service outages that resulted. Back in the early '00s, DDoS attacks often were generated by large botnets of compromised workstations because of multiple vulnerabilities and a lack of security awareness. We now have better awareness of security, and operating system vendors have improved the defensive capabilities within their products — yet here we are again with large botnets of small computers causing havoc. 2016 brought IoT botnets to the fore, and we all witnessed how thousands of relatively small, innocuous CCTV cameras and DVRs could be leveraged to generate DDoS attacks at 500 Gbps or greater.

Check out the all-star panels at the 'Understanding Cyber Attackers & Cyber Threats' event June 21 and get an in-depth look at your cyber adversaries. Click here to register. 

Many IoT devices have good connectivity on unmonitored network segments, and enough processing capability to drive a significant volume of DDoS attack traffic. IoT botnets are a key problem and are generating significant numbers of DDoS attacks — not just those that have made the headlines. For example, there were 11,400 attacks launched from specific Mirai botnets over a three-month period from November 2016 to February 2017. Attacks from these botnets are responsible for some of the increased scale and frequency of DDoS activity reported in Arbor Networks’ annual Worldwide Infrastructure Security Report.  

Addressing the Risks
DDoS is just one of the ways bad actors can exploit IoT devices, and as the number of exploitable devices increases, how should we address the risks?

First, we must consider how we can protect our current devices from being compromised and used against us. This is mainly a case of applying sensible security practices, changing passwords, and disabling default services that we don't need. But we should also make sure that we isolate our devices, only allowing them access to the infrastructure they need. For example, lighting systems and printers don't need open access to the Internet. We should also select devices that can be upgraded, from vendors that have a good track record of releasing patches for discovered vulnerabilities. And we should ensure that we have telemetry from the network segments where IoT devices are connected, so that we can identify unusual behaviors.  

Services from ISPs and content delivery networks are also becoming available to help defend our (insecure) IoT devices by effectively intercepting exploits and virtually patching vulnerabilities. These services work by routing traffic to and from the IoT device via the service providers’ protection service, but as with everything, there is a balance. Using a service like this may prevent a device from being compromised, but it introduces a single point of failure for all communications to the device, and any data generated or consumed by the device can now be monitored by the service vendor. There is a benefit, but also a risk.

In addition to protecting our devices as best we can, we also need to ensure that we can deal with the threats that may target us from the IoT botnets that are already out there. DDoS is one of these threats, and it's the primary threat to the availability of the Internet services that many organizations rely upon for day-to-day business continuity. DDoS is a well-understood problem and organizations can defend themselves by using a multilayer DDoS protection strategy. This is considered a best practice and utilizes both an on-premises and cloud or ISP-based component. Arbor's Worldwide Infrastructure Security Report showed that 30% of enterprise organizations adopted this model in 2016, up from 23% in 2015.

IoT botnets aren’t only being used for DDoS, however; we are seeing compromised devices being used as proxies, to hide the true origin of traffic, and for password brute-forcing. Both of these threats should be readily apparent from the network activity of the compromised IoT device, emphasizing the need for telemetry on network segments where IoT devices are connected.

The last and possibly most important way in organizations can combat the IoT threat is by building security into the buying decision around IoT devices and their use cases. There are a number of things to consider here, and the first of those is value vs. risk. Does our coffee machine really need to be "connected"? What value does this really add versus the additional risk it represents? Every connected device is a computer with an operating system and applications that potentially have vulnerabilities we should be managing. We need to consider whether the cost of understanding and managing these vulnerabilities outweighs the value of "connecting" the device.

If an IoT use case passes this first gate, security must then be a secondary key buying criterion. IoT devices have, in many cases, been purchased based on cost and functionality, as appliances, without any consideration of security. This must change. We should consider a vendor's track record. Have its products been found to have vulnerabilities in the past, and, if so, how did it react? Were patches or fixes provided quickly?

If security becomes a buying consideration, then vendors will start to add more security functionality to their products, and this in turn will become easier as the technology within IoT devices matures. Standards such as those proposed by the Thread Group and Open Connectivity Foundation may also help to move things forward.  

Fundamentally, as with everything in life, we need balance. IoT is an enabling technology with many use cases and benefits, but we must acknowledge and manage the risks that come with those benefits.

Related Content:

Darren Anstee has 20 years of experience in pre-sales, consultancy, and support for telecom and security solutions. As Chief Technology Officer at Arbor Networks, Darren works across the research, strategy, and pre-sales aspects of Arbor's traffic monitoring, threat ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Data Privacy Protections for the Most Vulnerable -- Children
Dimitri Sirota, Founder & CEO of BigID,  10/17/2019
Sodinokibi Ransomware: Where Attackers' Money Goes
Kelly Sheridan, Staff Editor, Dark Reading,  10/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-18214
PUBLISHED: 2019-10-19
The Video_Converter app 0.1.0 for Nextcloud allows denial of service (CPU and memory consumption) via multiple concurrent conversions because many FFmpeg processes may be running at once. (The workload is not queued for serial execution.)
CVE-2019-18202
PUBLISHED: 2019-10-19
Information Disclosure is possible on WAGO Series PFC100 and PFC200 devices before FW12 due to improper access control. A remote attacker can check for the existence of paths and file names via crafted HTTP requests.
CVE-2019-18209
PUBLISHED: 2019-10-19
templates/pad.html in Etherpad-Lite 1.7.5 has XSS when the browser does not encode the path of the URL, as demonstrated by Internet Explorer.
CVE-2019-18198
PUBLISHED: 2019-10-18
In the Linux kernel before 5.3.4, a reference count usage error in the fib6_rule_suppress() function in the fib6 suppression feature of net/ipv6/fib6_rules.c, when handling the FIB_LOOKUP_NOREF flag, can be exploited by a local attacker to corrupt memory, aka CID-ca7a03c41753.
CVE-2019-18197
PUBLISHED: 2019-10-18
In xsltCopyText in transform.c in libxslt 1.1.33, a pointer variable isn't reset under certain circumstances. If the relevant memory area happened to be freed and reused in a certain way, a bounds check could fail and memory outside a buffer could be written to, or uninitialized data could be disclo...