The security of IoT devices is a growing area of concern for the enterprise as newly introduced machines are creating novel ways for cybercriminals to hack into networks. While companies know to protect against common methods of attacks, the Internet of Things has created a whole new world of connected devices that put a company at risk.
Even the IoT-connected vending machine in the corporate kitchen can be the backdoor entryway for cybercriminals to hack into the company's network.
"The Coke machine isn't something that the IT department would know to patch or look at security vulnerabilities or what it is. That's the world we're facing with IoT devices. You have the same framework for addressing security vulnerabilities that are tied to your desktop or your mobile devices, but how does that tie to innocuous devices where you don't have that same relationship or same expectation," said Kendall Burman, an attorney on Mayer Brown's cybersecurity and data privacy team.
IoT security expert Dave Palmer, director of technology for Darktrace, said: "Modern businesses are digital hives of connected objects that all too often lack adequate security, providing attractive gateways for cyber attackers. That could be anything from a printer or a thermostat connected to the corporate network, through to a connected coffee machine or iWatch. These devices are part of the modern tech scene today, but they are relatively unprotected and vulnerable to new threats, such as ransomware."
To determine the risks, and what companies can do, TechRepublic conducted a roundtable where security experts discussed the risks of connected devices, and what companies and individuals can do to protect themselves at work and at home. Participants included: Lorie Wigle, general manager of IoT security solutions, Intel Security; Steve Durbin, managing director at the Information Security Forum; George Japak, managing director of ICSA Labs; Marie White, CEO and president at Security Mentor; Mike Weber, vice president of Coalfire Labs; Dodi Glenn, vice president of cybersecurity for PC Pitstop; Reiner Kappenberger, global product manager, HPE Security--data security at Hewlett Packard Enterprise.
TechRepublic: Which IoT devices are a threat to security for businesses?
Reiner Kappenberger: Any connected device or application provides an attack vector for adversaries to potentially capitalize. According to a HPE Internet of Things Research Study, 60% of IoT devices tested raised security concerns with their user interfaces. These included a range of issues such as persistent XSS and weak credentials.
Lorie Wigle: Everything from printers, cell phones, tablets, USB drives and wearable fitness devices, to industrial controls, smart building technology and the multitude of other internet-enabled devices connecting to a company's network can be a threat if the proper precautions are not in place. Securing the IoT is a complex topic, especially so for business and when it comes to employees bringing their own devices into a corporate environment, but with proactive protection in place and prescriptive education for employees who use mobile devices at work, whether they are company-issued or personal devices, businesses can establish a strong security posture to minimize the risks posed by the ever-growing Internet of Things.
Steve Durbin: The billions of devices that comprise the Internet of Things (IoT) are collecting a wide variety of data from users, who most likely are unaware that it is happening, where the data is being stored, or who has access to it. These devices may be ineffectively protected--exposing critical infrastructure, including industrial control and financial systems, to attack.
Any physical object with an embedded operating system and with a virtual presence that interacts and exchanges contextual cloud-based information with a business is a potential threat to a business. Security is the number one barrier to IoT adoption and when you look at the number of IoT devices out in the environment now, it's easy to see why. Everything from Wi-Fi sensors on manufacturing and production equipment to your smart coffee machine come with the possibility of being compromised, and offer a backdoor for attackers into the enterprise.
George Japak: In the past, internet connected devices were not considered smart and, as such, many organizations did not consider them a high priority to safeguard. However, this thinking is flawed since any device connected to the internet requires protecting. Experts estimate the number of connected devices will grow to more than 5 billion by 2020. Many of these IoT devices are being developed by companies that do not have experience securing devices on the internet, which can lead to privacy leaks and security breaches. Any of these devices can cause problems.
With the vast number of IoT devices, remembering the weakest link is crucial. Even the best laid security plans can fail if they are not properly considered as a part of the overall risk framework. Data breaches are a real threat. Those introducing these devices to their organizations need to understand their agreements carefully. Agreements on where the data goes and what rights are inadvertently given to which entity need to be clear.
Marie White: Anything that connects to a work network, whether Wi-Fi enabled or wired, can be a potential IoT threat to businesses. This can include new versions of more traditional items, such as printer/scanner/fax that gets upgraded with Wi-Fi capabilities that are not properly protected. Also, office or parking lot security cameras may not be properly protected--enabling outsiders to gain access or to remotely monitor activities. As new kitchen products start to be connected, they can become backdoors into company networks or home data. This can include everything from refrigerators to microwave ovens to coffee pots. Even an office TV with Wi-Fi capability and cameras in the break room could be hacked, if precautions are not taken. IoT devices such as smartwatches present an avenue for a hacker or malicious insider to infect a corporate network, or be used as monitoring devices.
TechRepublic: Are there IoT devices that are a threat to people who have home offices or telecommute?
Kappenberger: IoT devices that embed security in from the start are not a threat, but consumers need to think about how their personal IoT devices connect to other things. Consumer electronic devices such as smart appliances or home thermostats are now able to connect to the internet via a wireless router, one of the most insecure devices on the internet. The IoT devices themselves were not designed with data security in mind. Most devices do not require a password, or have a minimum default password. For example, 80%of IoT devices failed to require passwords of sufficient complexity and length, and 70% did not encrypt communications to the internet and local network, according to a HPE Internet of Things Research Study. However, consumers are not made aware they need to change passwords or go over security settings for their devices. This creates gaps in protection, and allows potential attackers to infiltrate and steal the data as it is in motion, as well as access wider systems connected to the insecure device or router.
Wigle: The same devices that pose a threat to businesses in the corporate office, can be threats outside of the office at employees' homes, coffee shops or when traveling, and there are likely fewer security controls in place. For businesses, the key to mitigating risks when employees connect for work outside of the workplace is to enforce secure Wi-Fi connections, strong passwords, VPN use and encryption.
TechRepublic: How are these IoT devices a threat to the enterprise and employees with home offices?
Kappenberger: Companies need to think about securing the data and the device itself. Many organizations take an approach of securing the back-end of the IoT infrastructure that is running in the data center, but not the IoT device itself, or the application that remotely manages the device. Security should actually be treated by those vendors as being as important as functionality. The risks that IoT brings are not only the significant risks of data breaches, but now the expanded risks of physical security and safety of the IoT device user. This is a very important aspect of development which IoT vendors need to keep in mind.
For example, people that use IoT devices to monitor their home for intrusion might find that those systems actually enable a burglar to gain access to their home, or the device could be made to believe that there is no intrusion happening. Even scarier are cases when an intrusion into an IoT device could be used to physically attack a person. An attacker gaining illegal access to an oven or HVAC system that is connected through the internet could potentially switch on the gas valve without starting the igniter. This could cause serious problems, and it is yet unclear if this attack vector could be identified, or the situation declared a malfunction of the device instead of a homicide.
Wigle: Any device that connects to a business network or is used to access business data brings with it risk because of the valuable data that can be accessed through that device. Such devices capture everything from our conversations, to our videos, health information, activities, location, interests and more, while also tracking and accessing customer and employee data, proprietary information, and company financials. Cybercriminals see that data as immensely worthwhile, making connected devices a rich target for attack.
Durbin: The data that individuals store on their fully-connected, mobile devices already makes them attractive targets for hackers and cyber criminals. At the same time the amount of applications people download to their personal and work devices continues to grow. The applications access more information than necessary. At worst, applications can be infected with malware that steals the user's information. This will only worsen as hackers and malware providers switch their attention to the hyper-connected landscape of mobile devices.
The problem with business commuters is that they are not just connecting to the workplace and isn't accessing company data from home; they are likely to do it from anywhere there's a Wi-Fi hot spot, which are not secure enough to protect corporate data and designed for convenience not security. In that, more and more automakers are offering Wi-Fi in their vehicles, commuters will use them to connect their network-enabled smartphones, tablets, and other devices that are also connected to business servers. This has the potential for even greater telecommuting threats, but we will wait and see.
Mike Weber: Generally speaking, there is a lack of awareness of the attack surface that the IoT systems present and a lack of due care in consumer deployments. Accordingly, in a home environment where cellular connectivity is not a requirement, the existing wireless infrastructure would be leveraged to provide connectivity for these devices. The majority of home users will not go to any lengths to secure the environment through network segmentation to keep these devices segregated from their other systems, and end up introducing these systems of unknown security pedigree onto the same WLAN. If compromised, these devices could be used as a pivot point to attack other systems.
TechRepublic: What can business do to protect themselves?
Kappenberger: When developing and implementing IoT applications, it is critical that organizations build security testing into the development process instead of making it an afterthought. While everyone wants to be quick to market and save on costs, security should be treated as being just as important as functionality.
Businesses should apply an end-to-end, data-centric security approach throughout the IoT infrastructure. Organizations should encrypt not only the communications, but also commands and values, on a field level, going from the device to the infrastructure and remote control element. This removes risk (even if an attacker is able to impersonate the infrastructure) and enables maximum protection against remote takeover of an IoT device--the biggest threat to IoT security.
Wigle: Internet-enabled devices create more meaningful and easier work experiences, and we expect to see more and more connected devices being used in the workplace. The key with IoT is to ensure that data is consistently secured from the edge to the data center, with a particular focus on privacy-related data.
Businesses need to formally educate their employees on the risks of bringing their own devices to work and of using their personal devices to access company-owned information. Additionally, they have to reinforce with employees the importance of only connecting to safe and protected Wi-Fi networks, as well as to make sure the security software is installed, up-to-date, and active on any devices that are connected to the company network, or being used to access company data. Businesses should also create a policy around devices in the workplace that defines the following:
- Who is eligible to Bring Your Own Device (BYOD)
- Which devices are allowed
- Which websites or cloud services employees can access for business purposes
- Whitelists and blacklists of apps that employees can use
- Consequences of not following policy
Further, companies need to implement the complete threat defense lifecycle for their enterprises--measures to protect, detect, and correct. Company-owned IoT devices should be selected that implement solid security, particularly if they're connected to the network. IoT devices should implement secure boot, have robust hardware-based identity for authentication, and take advantage of whitelisting to prevent running malicious code. And, of course, protect data via encryption.
Durbin: IoT holds the potential to empower and advance each and every individual and business. However, the security threats are broad and potentially devastating. Organizations must ensure that technology for both off-site and on-site employees adhere to the highest of standards for safety and security. While IoT is still in its early stages, organizations have a chance to build in new approaches to security if they start preparing now. Security teams should take the initiative to research security best practices to secure these emerging devices, and be prepared to update their security policies as even more interconnected devices make their way onto enterprise networks.
Many telecommuting programs focus on productivity and corporate culture with simple networking kits or bundles that are given to employees, and allow them to connect their devices for remote access. However, part of the culture must include security protocols and training that place remote employees under the same strict cybersecurity controls as on-site employees. Remote employees are best working under a security policy that includes policies and controls that create secure mobile environments for telecommuters.
Network access controls are an important aspect of such a program. A solid telecommuting program must include a cybersecurity component to manage network access control such that if a remote employee tried to connect a non-authorized device to a remote server, it will be bounced to the non-secure. This is just one example of the hardware component. Software apps also pose a huge threat as many can contain malware. Allowing access to internal corporate resources does not mean having to go the whole nine. Consider that most of the applications that workers are given access to contain more information than necessary for the employee to perform their tasks.
Additionally, password protection alone isn't sufficient for information in transit at either a Wi-Fi hotspot or a co-working space. End-to-end encryption provided by a virtual private network (VPN) is one of the most common protection measures. Privileged Account Management (PAM) programs are also an important measure to deploy as they prevent hackers from escalating privileges once an account has been hacked.
White: First, know what's on your network. Keep track of who's connecting.
Second, develop an IoT policy, similar to BYOD policies at work. Policies should address allowed devices, network access, security requirements, and privacy. For example, if/when kitchen products or other "Christmas and birthday presents" show up at the office, segment those devices onto other non-critical networks.
Third, enable the protections that are available for these devices. Make sure that security is enabled to the greatest extent possible.
Fourth, train your staff to recognize the pros and cons of various IoT devices. Provide guidance to help them understand and become aware of the benefits and dangers of IoT. Your security awareness training program is the ideal place to incorporate information about new technologies such as IoT, and their associated risks.
Fifth, ensure that adequate monitoring and management of IoT devices is being deployed by security and technology staff. Where appropriate, build IoT into existing procedures and incident management processes.
Finally, understand the many positive ways that IoT can enable new business opportunities. Don't just look at the negatives, but understand how a new generation of sensors can enable the good and disable the bad. Work with the business to develop tactical and strategic plans around IoT.
TechRepublic: What can people who are self-employed or who work in home offices do to protect themselves?
Kappenberger: When using IoT devices, people should consider more than their typical router with built-in-firewall to protect themselves. People should consider investing in commercial intrusion detection and network monitoring to prevent IoT devices from actually being a back door into their own network without them knowing about this. In addition, consumers should always change default device passwords and usernames, install a quality firewall, and ask the vendor for information on their internal security mechanisms.
Wigle: All users should actively engage in the security of their connected devices. Some steps for doing this are below:
- Make sure security software is installed, up-to-date, and active on any devices that are connected to your company network or being used to access company data.
- Keep your devices locked and secured when not in use, and require PINs, passwords, or biometric security to unlock internet-enabled devices.
- When working in public locations, use a privacy or blackout screen on phones and laptops to prevent prying eyes.
- Always use encrypted, password-enabled Wi-Fi and connect via VPN.
- Turn off Bluetooth and only enable it when, and if, you need it to avoid unwanted connections from other devices.
- Only download apps from official app stores, and be sure to read and understand the security settings.
- Remember that any device connected to your home Wi-Fi network can introduce a vulnerability. Select IoT and smart home devices that implement good security and keep them up-to-date with vendor-provided patches. Use strong passwords on these devices also.
Durbin: Telecommuters should keep their devices and security software up-to-date and know how to disable file sharing and automatic connections to Wi-Fi from all company-issued mobile devices. Home-based Wi-fi routers should be configured using WPA2 security and passwords should be very unique and changed often. Again, passwords alone won't protect your devices. Any VPN needs end-to-end encryption.
TechRepublic: Are cyberthreats increasing for IoT devices?
Wigle: Current figures put the number of connected devices worldwide at 15 billion. This number will continue to grow exponentially as more and more connected devices become integral to consumers' and workers' daily lives. Because the data stored on and accessible through mobile devices connected to corporate networks is so valuable, we anticipate the risk to businesses and consumers will continue to increase. Ransomware is a particularly troublesome threat that we expect to see rise with the growth of the IoT.
Because so many IoT devices lack sophisticated security measures, we also see them being targeted by criminals to conscript into botnets, networks of hijacked computers used to amplify attacks, flood servers, and otherwise cause mayhem on a targeted website. The best way for businesses and consumers to combat future attacks on connected devices is to update the software on smart devices, do ample research on security policies, and update procedures on devices before purchasing, and to protect devices with security solutions like VPN software, antivirus, endpoint protection, and encryption.
Durbin: Yes. As the number of IoT connections grow, so will the threat level. IoT is high on the list of the C-suite because it gives businesses a whole new level of increasing efficiency, revenue streams, and customer satisfaction; while at the same time lowering overall operating costs. If you look at the amount of malware that is targeting mobile devices today, consider that similar threats will likely proliferate among IoT devices as they catch on.
Weber: Yes, there is an increasing demand for IoT solutions. Historically speaking, high demand has always driven the pace of product development and vulnerabilities are just a byproduct of that. Until the industry undergoes a major change in direction, more solutions on the market equals more vulnerabilities.
Dodi Glenn: Absolutely. As more of these devices are deployed, miscreants are taking advantage of unpatched/vulnerable devices. In fact, just today a report was posted about a security issue with a wireless keyboard, which allows someone to sniff the keys being typed. This can include usernames and passwords, or other sensitive pieces of information.
TechRepublic: Do you find that businesses are unaware of the dangers of IoT devices?
Kappenberger: We have seen several cases where people assume that IoT devices are safe, and do not expose additional threats. However, this assumption after talking with them more, deeply is quickly replaced with worries about the security problems this can expose. Ultimately, for IoT to have the biggest impact, a security story has to be part of IoT manufacturers' thought process. They need to take into account the sensitivity of the data itself, and how they protect the data itself.
Wigle: Often there is an assumption that the risk of IoT devices is limited to the functionality of the device itself. For example, does it really matter if my smart light bulb is compromised? But, the reality is a vulnerability in the light bulb could permit an attacker to gain access to the Wi-Fi network and much more valuable devices and data. Security for IoT needs to be very comprehensive and implemented as a system. In the home, as an example, a gateway device could be monitoring traffic and helping secure other devices.
Durbin: Yes. Most organizations have not prepared for, nor are they aware of, the numerous security issues of IoT. The whole area of vulnerability management, DDoS attacks, bandwidth requirements, the need for security analytics capabilities, etc. etc. are not areas that most businesses have thought through fully. This should be a priority of organizations of all sizes moving forward. Security is no longer a "nice to have." It is business critical and should be front and center for all employees, from the basement all the way up to the boardroom.
Glenn: I think businesses are, for the most part, aware of the dangers, but they aren't doing anything about it. The businesses know that these devices connect to the internet, but have nothing to really protect them. Conversely, the "consumer people" do not know about the dangers of the IoT devices, and are largely concerned with the feature/functionality of the device itself, rather than security.
Three takeaways for TechRepublic readers:
- Businesses are at an increased risk for cybersecurity attacks due to IoT devices at the workplace and in employee home offices.
- Security policies need to be created around IoT that enforce regular security updates, secure passwords and encrypted communications to the internet and local network.
- Every IoT device is a potential gateway into the corporate network. Even the connected Coke machine and smart coffee maker.
- The scariest threat to the quality of IoT data and analytics (TechRepublic)
- How to avoid ransomware attacks: 10 tips (TechRepublic)
- Pokemon Go: is it a BYOD security nightmare? (TechRepublic)
- IBM X-Force finds multiple IoT security risks in smart buildings (TechRepublic)
- Windows 10 collects too much user data, lacks security says watchdog (TechRepublic)