The 2015 Internet of Things in the Enterprise Report from OpenDNS, a provider of network security and DNS is an analysis of the potential security threats that the Internet of Things (IoT) poses to the enterprise. IoT may pose an even bigger security threat than Bring Your Own Device (BYOD) and enterprise mobility.
IoT security: The early days
The report paints a picture that IoT security is still in its infancy but needs to change.
“We don’t yet have a year of mobile malware, with that being said we don’t really have a year of IPV 6 or Linux desktop yet either. We are still waiting for that. But I think this problem is exponentially bigger than the mobile problem because of the costs of these devices,” said Andrew Hay, director of research for OpenDNS.
“You can get webcams for under ten dollars or even five dollars,” Hay said. “Yeah, it’s just disposable technology. I spent an entire day walking through Fry’s Electronics, and I was like a kid in a candy store, just looking at anything that had the Wi-Fi certified sticker on it. And it was scary, the types of things that you can connect to the internet. Like toasters and I still don’t understand the internet toaster thing. I think it’s kind of strange but did you know that there is an egg holder that is an IoT enabled egg holder for in your fridge? It counts how many eggs are in there.”
IoT and (non) compliance
IoT devices showing up in regulated industries is one of the most surprising elements of the OpenDNS report, Hay said.
“It was a little alarming especially with regards to like the financial services, healthcare, oil and gas, electric, the government,” he said. “I was expecting to see a huge slant towards higher education and that’s simply because I’ve worked in higher education. I know the types of devices that are brought into a network like that but not the defense contractors and oil and gas companies that, I just expected to be just a little bit more restrictive with what could communicate on their network.”
IoT security breaches coming to an enterprise near you
The first enterprise security breach by IoT is still lurking out there.
“Well, I would think that, really that’s what going to be the event that makes this a priority,” Hay said. “I think that we are very close, and the first inklings of that was, do you remember when the nanny cam, or the nanny or the mother who was picking the child up in the crib she could hear voices come out of the nanny cam or the camera that was connected.”
“That’s sort of the first steppingstone of, ‘okay well this isn’t really science fiction, this could be reality’,” he said.
“So because a lot of these smart TV vendors were never designed to be in the enterprise, just like all the other IOT devices, we don’t scrutinize them like we would a simple piece of IT equipment,” Hay said
“I believe that the big event that is going to wake us up to this threat is someone listening to a board room conversation by the way of television and it being some sort of in site information that could cost that company millions like on the stock market,” Hay said. “Maybe the CEO is going to be retiring due to medical issues, or they are firing a whole bunch of executives or they are going out of business or buying another company.”
“Someone would have to take that information and either play against them on the stock market or just completely release the information causing a loss of job and millions if not billions of dollars.” Hay said that a “Target level” breach event for the IoT enterprise is likely to occur in the near future.
Waking up to IoT security in the enterprise
“I think that they are still being thought of as toys,” Hay said. “There are certain TVs that have started having anti-virus agents installed on them but as a consumer you are not going to know that. It’s not something that was put on there for use in the enterprise.”
He said he also suspects that ARM, Intel, Google, and some other companies will be the ones to define security and testing for IoT in the enterprise.
“But that will only happen if the enterprise asks for it,” Hay said. “If they don’t ask for it they will just receive it and use it then ask questions of how do I secure this now that it’s implemented, just like cloud. Like when people started adapting cloud on that. It was this was great we are saving all of this money but wait there is still huge security concerns, why didn’t they tell us those huge security concerns?”
Bad neighborhoods and IoT
Bad neighborhood is a frequent analogy in the report because they found multiple cases of IoT devices dialing out to less than desirable cloud providers.
“Some of the researchers have been presenting pieces of that,” Hay said. “So a lot of the scoring we do out of OpenDNS with regards to how malicious something is or how benign something is based on a number of criteria such as past known botnet infections.”
“So if you think of it as a dossier for a particular IP address, a particular domain, or even a hosting provider or a subnet that you reside on,” Hay said. “That’s really where the maliciousness and the bad neighborhood comes into play because if you have a /24 network that has 254 usable IP addresses it’s far easier for a network administrator to block access that entire range of IPs as opposed to every single one except for your IP.”
“All the other ones are malicious because it just becomes a maintenance and management nightmare, so there is the potential for really neutering the capabilities of IoT devices if people start blocking access to it either through the IP or through the enterprise level, ” Hay said. “So you could interactively be segmenting yourself or walling yourself off from your potential customers or the users that need that service to upload data to.”
Securing against IoT risks in the enterprise
Hay thinks we’ll see more research including IoT-focused honey pots as cyber security and threat intelligence.
“Finally, look at their traffic in regards of these non-standard devices and start asking the question of their vendors of why is this communicating so much?,” Hay said. “Why is this chatty? How do I certify this for this type of environment?”
Hay said, “And, why is your documentation so poor to help me get this running in my organization?”
He advised that risk assessment starts with knowing your assets and how they connect to your enterprise network. Once hardware, even IoT devices, connect to the network they become network assets.
“So you have to know they [risks] exist, and one of the best ways to do that is via DNS because if see these devices calling out from your infrastructure you know they are presence,” he said.
“Once you have that you can either block the DNS perspective if you don’t want to allow certain traffic out. You can also use typical permit controls, such as firewalls, intrusion detection devices, router ACLs [access control lists],” Hay said. “It’s really how grain you learn on how far back you want to pull the controls to your users desktop experience.”
Future of IoT security in the enterprise
OpenDNS has crafted a report that is educational while avoiding being alarmist about IoT security risks in the enterprise. It’s worth a read if IoT is entering your enterprise or part of a future technology roadmap.