These four best practices will help safeguard your organization in the Internet of Things.
The Internet of Things is riddled with security challenges. Cybercriminals know this too, and have often been quicker to take advantage of vulnerabilities than we have been to fix them. For instance, according to Fortinet’s Threat Landscape Report for the second quarter of 2017, 90% of organizations recorded attacks that targeted system and device vulnerabilities that were at least three years old, even though updates and patches had long been available. It’s even more alarming that 60% of organizations reported attacks aimed at vulnerabilities that were 10 or more years old.
Today, the billions of online IoT devices present an even more daunting challenge because they generally don’t receive the level of control, visibility, and protection that traditional systems receive. Coupled with widespread automation-based attacks, the potential for damage is even greater. Recent developments, outlined below, reveal why it’s time to take IoT security seriously.
Smart to Smarter
2016’s Mirai malware was the first IoT botnet to lead to an unprecedentedly massive distributed denial-of-service attack. And this year brought us new generations of IoT-based attacks, like Hajime and Poison Ivy, that have multiple toolkits built into them.
Mirai was successful, but it wasn’t built to be smart. Hajime is more robust because it’s automated. It self-propagates like a ransomworm and is difficult to shut down. Even more alarming is that Hajime is a multivector attack that can target different operating systems and supports multiple payloads and binaries, making it cross-platform.
Hajime also removes firewall rules that allow the device to talk to the Internet service provider. In a worst-case scenario, an attack could cause millions of devices to go dark.
The Dawn of Manufacturer Accountability
Mirai was an IoT cybersecurity wake-up call. We all knew that the IoT was insecure, and this botnet provided a glaring real-world example. As a result, individuals, organizations, and regulatory bodies were motivated to accelerate the process of making IoT vendors accountable for their products.
In January 2017, the Federal Trade Commission took the bold step of filing a lawsuit against an IoT manufacturer. The suit alleges that a global manufacturer of computer networking equipment and other connected devices “made deceptive claims about the security of its products and engaged in unfair practices that put consumers’ privacy at risk.”
Meanwhile, the US Commerce Department’s National Telecommunications and Information Administration has assembled a working group to develop guidance for IoT device manufacturers to better inform consumers about security updates. This group came up with “key elements” that manufacturers should consider conveying to consumers to help them make better-informed purchasing and use decisions. These key elements include whether a device can receive security updates, how it will receive them, and when support for the device would end.
More recently, the Internet of Things Cybersecurity Act of 2017 was introduced into the U.S. Senate as an effort to establish industry-standard protocols and require IoT manufacturers to disclose and update vulnerabilities.
Security updates and standards are only one aspect of imposing IoT cybersecurity and manufacturer accountability, but they’re a good start. These developments are a positive sign that the industry and those who regulate it are serious about creating an environment of accountability.
Four Best Practices to Address IoT Security Challenges
Many CSOs ask me, “If you could give me one piece of advice on IoT security, what would it be?” The answer is, “Know your digital assets.” You have to attain visibility before implementing protection, because you can’t protect what you can’t see. Every organization needs a constantly updated inventory of the assets on its network, including services. Risk analysis and security development is then based on the answer to the question, “If that data or service were to go offline, how much would it cost in revenue and damage to the brand?”
With that in mind, here are four recommendations for addressing the IoT’s cybersecurity challenges.