The connected world is here, and the Internet of Things (IoT) promises a plethora of business benefits such as automated services, optimized resource utilization, better green credentials, and so on. But as with all new technologies, there are new risks, and the risk/value balance must be considered.
Everyone is familiar with the distributed denial-of-service (DDoS) attacks that targeted Dyn last year and the significant service outages that resulted. Back in the early '00s, DDoS attacks often were generated by large botnets of compromised workstations because of multiple vulnerabilities and a lack of security awareness. We now have better awareness of security, and operating system vendors have improved the defensive capabilities within their products — yet here we are again with large botnets of small computers causing havoc. 2016 brought IoT botnets to the fore, and we all witnessed how thousands of relatively small, innocuous CCTV cameras and DVRs could be leveraged to generate DDoS attacks at 500 Gbps or greater.
Many IoT devices have good connectivity on unmonitored network segments, and enough processing capability to drive a significant volume of DDoS attack traffic. IoT botnets are a key problem and are generating significant numbers of DDoS attacks — not just those that have made the headlines. For example, there were 11,400 attacks launched from specific Mirai botnets over a three-month period from November 2016 to February 2017. Attacks from these botnets are responsible for some of the increased scale and frequency of DDoS activity reported in Arbor Networks’ annual Worldwide Infrastructure Security Report.
Addressing the Risks
DDoS is just one of the ways bad actors can exploit IoT devices, and as the number of exploitable devices increases, how should we address the risks?
First, we must consider how we can protect our current devices from being compromised and used against us. This is mainly a case of applying sensible security practices, changing passwords, and disabling default services that we don't need. But we should also make sure that we isolate our devices, only allowing them access to the infrastructure they need. For example, lighting systems and printers don't need open access to the Internet. We should also select devices that can be upgraded, from vendors that have a good track record of releasing patches for discovered vulnerabilities. And we should ensure that we have telemetry from the network segments where IoT devices are connected, so that we can identify unusual behaviors.
Services from ISPs and content delivery networks are also becoming available to help defend our (insecure) IoT devices by effectively intercepting exploits and virtually patching vulnerabilities. These services work by routing traffic to and from the IoT device via the service providers’ protection service, but as with everything, there is a balance. Using a service like this may prevent a device from being compromised, but it introduces a single point of failure for all communications to the device, and any data generated or consumed by the device can now be monitored by the service vendor. There is a benefit, but also a risk.
In addition to protecting our devices as best we can, we also need to ensure that we can deal with the threats that may target us from the IoT botnets that are already out there. DDoS is one of these threats, and it's the primary threat to the availability of the Internet services that many organizations rely upon for day-to-day business continuity. DDoS is a well-understood problem and organizations can defend themselves by using a multilayer DDoS protection strategy. This is considered a best practice and utilizes both an on-premises and cloud or ISP-based component. Arbor's Worldwide Infrastructure Security Report showed that 30% of enterprise organizations adopted this model in 2016, up from 23% in 2015.
IoT botnets aren’t only being used for DDoS, however; we are seeing compromised devices being used as proxies, to hide the true origin of traffic, and for password brute-forcing. Both of these threats should be readily apparent from the network activity of the compromised IoT device, emphasizing the need for telemetry on network segments where IoT devices are connected.
The last and possibly most important way in organizations can combat the IoT threat is by building security into the buying decision around IoT devices and their use cases. There are a number of things to consider here, and the first of those is value vs. risk. Does our coffee machine really need to be "connected"? What value does this really add versus the additional risk it represents? Every connected device is a computer with an operating system and applications that potentially have vulnerabilities we should be managing. We need to consider whether the cost of understanding and managing these vulnerabilities outweighs the value of "connecting" the device.
If an IoT use case passes this first gate, security must then be a secondary key buying criterion. IoT devices have, in many cases, been purchased based on cost and functionality, as appliances, without any consideration of security. This must change. We should consider a vendor's track record. Have its products been found to have vulnerabilities in the past, and, if so, how did it react? Were patches or fixes provided quickly?
If security becomes a buying consideration, then vendors will start to add more security functionality to their products, and this in turn will become easier as the technology within IoT devices matures. Standards such as those proposed by the Thread Group and Open Connectivity Foundation may also help to move things forward.
Fundamentally, as with everything in life, we need balance. IoT is an enabling technology with many use cases and benefits, but we must acknowledge and manage the risks that come with those benefits.