IoT Has Spawned Entity-Based Risks — Now What?
The Internet of Things (IoT) is driving transformational change in IT infrastructures. Connecting everything — printers, medical devices, cameras, industrial devices, door locks, cars, etc. — to the network, the cloud or both is creating a vast, porous security perimeter. In fact, it’s largely undefendable using traditional security architectures.
The security problem will only grow more complex. A study conducted by 451 Research (via Yahoo Finance) estimates that “the number of IoT connected devices (excluding PCs, smart TVs, and game consoles) will be approximately 8 billion in 2019 and reaching nearly 14 billion in 2024,” while a report from the International Data Corporation (via MarketWatch) forecasts that worldwide spending on IoT will reach $745 billion in 2019.
Increased connectivity means increased security threats. From my experience, many IoT products don’t get regular updates, while some can’t be updated. This exposes devices to potential cyberattacks that target vulnerabilities in outdated hardware and software.
In addition, most IoT devices come with default passwords that can be easily compromised using publicly available password lists and automated searches for particular devices. Others have weak credentials that are susceptible to brute-force password hacking.
The exponential growth in IoT devices has led to more ransomware, malware and botnet attacks that are specifically targeting certain equipment. The Mirai botnet is a recent, high-profile example. Using a distributed denial of service (DDoS) attack against infrastructure provider Dyn, it disabled much of the internet on the U.S. East Coast on October 21, 2016. Mirai took over poorly secured IoT devices like security cameras, DVRs and routers by logging in using default passwords. In comparison, smaller, more targeted attacks can easily evade detection by conventional security products.
There are also communication security issues. Some IoT devices send unencrypted messages to the network, which can lead to data being intercepted.
Meanwhile, traditional IT security models are ill-equipped to address IoT risks since these devices lack built-in monitoring and control capabilities. IoT also breaks perimeter-based security that assumes devices inside the network can be trusted. To complicate matters, many IoT devices are added to the network without IT’s knowledge, where they remain undocumented and unmanaged.
From my experience, the first step your company should take to implement an IoT security strategy is to enforce a strict password policy. IoT devices lack role-based access and privileged delegation controls, and they also use scaled-down operating systems, which pose a potential security vulnerability.
Therefore, you should change all default passwords, with each device being given its own unique, cryptographically complex password. This should prevent devices from being hijacked by automated attacks that scour the internet for devices with default credentials, and it should also reduce the risk of an organization falling victim to brute-force attacks.
In addition, your organization should apply security updates in a timely fashion and request service-level agreements from IoT vendors for patching new vulnerabilities before equipment is deployed. If a vendor doesn’t issue patches in acceptable time frames, you should either request that it does or find another supplier.
You’ll also want to use access control lists within the network to segment IoT traffic and prohibit unauthorized lateral communications, including monitoring and controlling remote access to IoT devices, and you should remove all end-of-life devices.
This article originally appeared on forbes.com To read the full article and see the images, click here.
Nastel Technologies uses machine learning to detect anomalies, behavior and sentiment, accelerate decisions, satisfy customers, innovate continuously. To answer business-centric questions and provide actionable guidance for decision-makers, Nastel’s AutoPilot® for Analytics fuses:
- Advanced predictive anomaly detection, Bayesian Classification and other machine learning algorithms
- Raw information handling and analytics speed
- End-to-end business transaction tracking that spans technologies, tiers, and organizations
- Intuitive, easy-to-use data visualizations and dashboards