Internet of Things (IoT) devices are revolutionizing the way we share data and carry a huge charter to improve our banking, shopping, transportation, patient, and individual care and safety, to name a just a few. The mission is admirable, but with thousands of devices flooding the market, the lack of standards and multitude of security deficiencies are creating an on-ramp to corporate, government, and private networks that is wide open to cyberattacks.
This isn’t a problem we might face in the future, it is already happening. Last November, a computer network managed-service provider in South Florida discovered that body cameras purchased for a local police department were infected with a version of Conficker, one of the world’s most prolific computer worms. The worm moved swiftly from the cameras to the connected computer and immediately attempted to spread to other machines on the network.
Earlier this year, Shodan, a search engine for IoT, launched a service that lets users browse for vulnerable webcams. With minimal effort, users can find images of sleeping babies, the back rooms of banks, laboratories, college campuses, and more.
The collection and sharing of IoT data is reshaping many industries, improving safety and productivity, while reducing costs. Research reports forecast that that up to 200 billion smart devices, ranging from smart refrigerators to commuter buses and advanced medical equipment, will be connected by 2020. Gartner estimates that 6.4 billion connected devices will be in use in 2016, up 30% from last year. However, the security infrastructure to protect sensors and cameras that feed data into networks is sorely lacking. High availability and safety are important attributes of IoT deployments and downtime of IoT sensors and/or a network can cause serious damage to an organization and, depending on the deployment, public safety.
IoT sensors and devices can introduce multiple points of vulnerability into a network. Just a few of the security challenges include a dramatic increase in unauthorized access, weak encryption, targeted attacks exploiting vulnerabilities in vendor software, and weak passwords. Once inside the network, attackers can use stolen credentials or move laterally to gain illegitimate access to company assets, information, or to cause damage to critical infrastructure.
Healthcare organizations are attractive targets for cyberattacks since they use picture archive and communications systems (PACS’s) servers, which store critical patient data such as x-rays and other digital images, payment gateways for credit card processing, and other data gathering and aggregation frameworks.
Lack of Adequate Security
To date, many IoT sensor and device manufacturers have failed to provide adequate security to their devices. The market for consumer IoT devices such as cameras, thermostats, or other connected home devices is very price sensitive and manufacturers have focused on minimizing price versus building in security. Each of the 6.4 billion devices connected in 2016 are potentially exploitable, especially problematic given that IoT devices are just as susceptible to the types of cyberattacks that have been plaguing organizations, such as ransomware. It is notable that at Def Con this year, hackers demonstrated the first ransomware attack on IoT smart thermostats, proving that this is no longer just a hypothetical fear. In this attack an attacker could crank up the heat and lock the IoT device until sweltering occupants paid a ransom to unlock it.
With the increase in IoT adoption, things are being forced to change. The Federal Trade Commission (FTC) has, in recent years, brought more than 50 cases against companies that did not provide reasonable security precautions to their products, services, and networks. Maneesha Mithal, associate director of the FTC’s division of privacy and identity protection, said, “The message from our enforcement actions is that companies can’t rush to get their products to the market at the expense of security. If you don’t have reasonable security, then that could be a violation of the FTC Act.”
Compliance to regulation is always good, however, it should never be taken as a security plan. With over 700 reported security breaches reported in 2015, it is clear that even with the best efforts at prevention, the clever hacker can and will find his way into the networks. Because of this, companies should have an adaptive defense of prevention and detection for both their enterprise and IoT networks. A new generation of deception technology is designed to detect in-network cyber attackers regardless of whether the attack is a targeted, stolen credential, ransomware, or insider threat. Deception has become increasing popular since it uses highly-efficient luring and engagement techniques vs. relying on signatures or attack patterns to identify attackers.
IT and security teams can configure these deception platforms to appear identical to IoT systems based on XMPP, COAP, MQTT, HL7, and DICOM-based PACS servers in their networks. IoT vendors use the protocols to support a wide away of applications that allow for a more cohesive machine-to-machine communication and monitoring concerning critical data and machine status. The deception platform then appears as production IoT servers and service gateways, deceiving attackers into thinking they are authentic devices as they look to onramp onto production networks.
An Ounce of Prevention
To prevent the hacker from sneaking onto the network from these devices, early visibility to attacker in-network reconnaissance and lateral movement is critical. Deception is designed to make the entire network a trap and provide the real-time visibility and alerting of these in-network threats. The solution should also not just detect the threat but be able to identify different threats, their threat levels, and provide an incident response playbook that includes detailed attack information to automatically quarantine and remediate infected systems.
Hackers use the element of surprise, bidingtheir time to complete an attack. By engaging with the decoys and not the production devices, the attackers reveal themselves and IT and security teams can quarantine and study them for detailed forensics that they can then use for remediation and prevention of future attacks. The IoT deception solution should analyze the attack techniques, the lateral movement of the attack, which systems are infected, and provide the signatures to stop the attack.
Businesses deploying or expanding their IoT networks should build a comprehensive adaptive defense strategy to protect these critical assets. Seven critical actions to build this defense include:
- Build security in from the start – Make decisions about how information is collected, how long it’s retained, and who can access it with security in mind. And, review these decisions periodically as the network grows and evolves.
- The type of data collected will inform security decisions – IT and security teams should understand in detail what individual and device identifiers the device will collect and transmit, actively and passively, from and about users. Teams should view this data in terms of whether the data is personal to the user or can identify the device location. They should ensure manufacturers have employed extra security considerations when developing a device that will collect sensitive consumer data, such as financial information, geolocation, or information collected about high-risk groups such as children or the elderly.
- Think through how data is handled - IT and security teams should develop policies that impose limits on the collection and retention of consumer data. This might include retaining only truncated credit card information, for example. Teams should also minimize the amount of data collected to reduce the potential for compromise.
- Protect the data via additional security measures – Security measures should go beyond simple safeguarding of the device, they should also include administrative, technical, and physical safeguards of the entire network.
- Check vendor performance claims – when deploying physical sensors or devices, IT and security teams should re-confirm that the products are protected as claimed by the vendor.
- Put in place policies to safeguard the network form third parties – Create documented processes for third-party service providers to handle critical data and network hardware and software. This can include limiting their exposure to the network and data, and requiring the vendor to provide notification of any breach.
- Stay up to date on security trends – Prevent what you can, but also have the visibility into threats that have bypassed these systems. Make sure these systems can detect both known and unknown threats and that they deliver substantiated alerts and attack forensics to streamline incident response, remediation, and ongoing attack prevention.
Securing the vast amounts of data generated in IoT environments and their open architectures carries significant risks that IT and security teams, company management, and boards of directors must understand and be proactive in managing. Deception technology is a valuable element of an adaptive defense strategy for IoT continuous threat management and will provide efficient and much need visibility into in-network threats for IoT environments that arise from the lack the standardization and the controls to secure it.
Over time, enhancements will be made to better secure IoT networks and their critical data, however, as we have seen, even in highly controlled enterprise environments, an attacker will still find clever ways to get in. The best defense for IoT networks will continue to be one that has a balance of prevention and real-time detection to know what’s lurking in your network.