You’ve probably seen plenty of stories in the media in recent weeks and months, detailing the rise in cybercrime targeting the Internet of Things. And it’s become especially clear that the use of botnets to conduct Distributed Denial-of-Service (DDoS) attacks is becoming more widespread and increasingly damaging.
In October 2016, ‘Mirai’ was one of the first large-scale IoT attack to publicly surface, taking down vast swathes of the web simply through exploiting weak or default passwords on connected devices.
The scary part was that hackers only had to infect 100,000 devices to cause significant disruption for millions of users – a mere drop in the ocean of billions of IoT devices in use worldwide.
Fast forward a year and an even greater threat is emerging. Known as ‘Reaper’ or ‘IoTroop’, the malware is gradually spreading through vulnerabilities in IoT-connected software and hardware.
There has been no activation of the malware yet, but the indications are that it will continue to suck in more and more devices until it can suddenly strike, with disastrous and far-reaching consequences.
All this uncertainty and potential harm is being noted with worry by businesses. In a recent survey of IT decision makers, 63 per cent expressed concern about the IoT and the impact it could have on their security technologies and processes.
And yet, despite that pressing concern from the corporate world, the growth in the size and sophistication of botnet attacks clearly points to a gap between what enterprises need from IoT security and what’s actually being provided.
Leading IT security guru Bruce Schneier has expressed serious misgivings about the minimal security measures currently in place for IoT devices, especially given the increasing prevalence of IoT in our daily lives.
As he puts it: “In a few years, it’s going to be nearly impossible to not be multiply connected to the IoT. And our biggest IoT security risks will stem not from devices we have a market relationship with, but from everyone else’s cars, cameras, routers, drones, and so on.”
Given the capability for hackers to exploit just one poorly-protected device and gain access to a much wider network, it’s a sobering thought.
What can we do about it?
The (sort of) good news is that governments and legislators are sitting up and taking notice of the problem: regulations are starting to be formulated that would mandate minimum standards of security in IoT devices. But as Schneier says, the bar is being set relatively low and the political process means that it’ll take considerable time for the effects to really be felt.
It goes without saying that we can’t wait around for legislation to provide all or even some of the answers – these IoT security threats are manifesting themselves now, after all. So what can be done in the meantime?
Well, it can’t be underestimated how much extra protection can be found simply through educating the end-user. The prevalent global attitude towards the submission of personal data is still far too lax, and the gap in understanding around how IoT-connected devices work is being overshadowed by people’s clamour to make use of the latest smart gadgets and technologies.
This behaviour was summed up neatly by Robert Hayes, senior executive for security trainer root9B, at a recent Royal Society forum: “On an individual level, people are still willing to trade their data for a picture of a dancing cat or a free app.”
Of course, in the short term, we’re all able to talk to clients and colleagues to help educate them of these dangers. But to combat these attitudes on a global scale, we’ll have to wait for a social change as sweeping as getting cybersecurity considered in the same breath as fire risk when consumers and enterprises are purchasing devices.
So for now, from an enterprise perspective, it’s up to those in the know – independent software vendors, systems integrators and service providers like you – to demonstrate to your clients what a profoundly important issue IoT security is for them to address.
There are three key things you can do now that will help:
- Whether you’re assisting a client in deploying a new IoT system, or expanding an existing one by adding further devices, it’s critical to assess every single endpoint to make sure that they’re secure. This is especially important when devices come from a range of different suppliers and manufacturers, as security measures and protocols will inevitably vary.
- Stay right on top of patch management and ensure every device in an IoT network is equipped with all the latest patches available to it. WannaCry and Petya, the two most publicised ransomware attacks of 2017 so far, both targeted the same vulnerability, for which a patch was already available for months before either attack was known about. Proactive providers that ensured devices were kept up to date were – and are – far less likely to be affected.
- For deeper and controllable protection, consider identity-based security management, particularly in IoT environments where several users may be connecting to the same device (for example, a wireless-enabled printer). Software such as IBM MaaS360 that enables such granular security control makes it much easier to spot any potential bad practices or weak links in the system that could be prone to attack.
What’s clear is that IoT is a rare area of technology where the security world at large isn’t necessarily keeping up with the speed of innovation and adoption. This means there’s extra demand on providing organisations like you to help enterprises secure their devices and networks as best they can – and lucrative rewards for your business if you can demonstrate an ability to do that effectively.
You can leverage MaaS360 and equip your clients with cognitive-powered endpoint management when you partner with IBM.