Arming cyber battle lines to combat IoT vulnerabilities
Inherent security flaws within IoT devices leave networks wide open to predatory hackers.
Connected devices are transforming the way we bank, shop and most importantly share data. They are further propelling advancements in transportation, healthcare and safety. The objective is impressive, but with thousands of Internet of Things (IoT) enabled devices flooding the market and the subsequent lack of standards, security flaws are leaving the government, corporate, and private networks wide open to predatory hackers.
The concern is not one of the future but has already presented itself today. In October 2016, cybercriminals weaponized internet-connected home devices, such as CCTV cameras and printers, to attack Dyn – the internet services provider which controls many of the world’s servers. This massive attack brought down websites such as Spotify, Twitter, Netflix and PayPal for almost the entire day. It has been suggested that the attack was carried out, at least in part, using a botnet of Internet of Things (IoT) devices. The attackers infected vulnerable devices with the Mirai malware. This malware was previously used in a DDoS (Distributed Denial of Service) attack against security researcher Brian Krebs.
The collection and sharing of IoT data is reshaping many industries, improving safety and productivity, while reducing costs. Research reports forecast that that up to 200 billion smart devices, ranging from smart refrigerators to commuter buses and advanced medical equipment, will be connected by 2020. This proves to be true especially in the Middle East as IoT-centric devices form an important component of the long-term smart city vision which regional governments aim to achieve. However, the security infrastructure to protect sensors and cameras that feed data into networks is sorely lacking. High availability and safety are important attributes of IoT deployments and downtime of IoT sensors and/or a network can cause serious damage to an organisation and, depending on the deployment, public safety.
IoT sensors and devices can introduce multiple points of vulnerability into a network. Just a few of the security challenges include a dramatic increase in unauthorized access, weak encryption, targeted attacks exploiting vulnerabilities in vendor software and weak passwords. Once inside the network, attackers can use stolen credentials or move laterally to gain illegitimate access to company assets, information or to cause damage to critical infrastructure.
To date, many IoT sensor and device manufacturers have failed to provide adequate security to their devices. The market for consumer level IoT devices such as cameras, thermostats or other connected home devices is very price sensitive and manufacturers have focused on minimizing price, versus building in security. Each of the 6.4 billion devices connected in 2016 are potentially exploitable, especially problematic given that IoT devices are just as susceptible to the types of cyberattacks that have been plaguing organisations, such as ransomware. To validate the risk, at Def Con 2016, hackers demonstrated the first ransomware attack on IoT smart thermostats, proving that this is no longer just a hypothetical fear. In this attack an attacker could crank up the heat and lock the IoT device until sweltering occupants paid a ransom to unlock it.
Healthcare organisations also provide attractive targets for cyberattacks since they use picture archive and communications systems (PACS’s) servers, which store critical patient data such as x-rays and other digital images, payment gateways for credit card processing and other data gathering and aggregation frameworks.
Transportation will soon become a heavy user of IoT devices and we should expect to see great strides in using IoT to modernize public transport sector. For example, Audi recently announced that it will release their first vehicles equipped with the ability to receive information from traffic lights – providing the first step in creating smarter and safer cities.
Compliance to regulation is always good; however it should never be taken as a security plan. With over 700 reported security breaches reported in 2015, it is clear that even with the best efforts at prevent, the clever hacker can and will find his way into the networks. Because of this, companies should have an adaptive defence of prevent and detection for both their enterprise and IoT networks. A new generation of deception technology is designed to detect in-network cyber attackers regardless of whether the attack is a targeted, stolen credential, ransomware, or insider threat. Deception has become increasing popular since it uses highly-efficient luring and engagement techniques vs. relying on signatures or attack patterns to identify attackers.
IT and security teams can configure these deception platforms to appear identical to IoT systems and servers in their networks. IoT vendors use the protocols to support a wide away of applications that allow for a more cohesive machine-to-machine communication and monitoring concerning critical data and machine status. The deception platform then appears as production IoT servers and service gateways deceiving attackers into thinking they are authentic devices as they look to onramp onto production networks.
IoT cybersecurity defence should include preventing what you can, though given the inability to run anti-virus and apply comprehensive prevention techniques on these devices, prevention will be by nature, unreliable. To prevent the hacker from stealthing onto the network from these devices, early visibility to attacker in-network reconnaissance and lateral movement is critical. Deception is designed to make the entire network a trap and provide the real-time visibility and alerting of these in-network threats. The solution should also not just detect the threat but be able to identify different threats, their threat levels and provide an incident response playbook that includes detailed attack information to automatically quarantine and remediate infected systems.
Hackers use the element of surprise to bide their time to complete an attack. By engaging with the decoys and not the production devices, the attackers reveal themselves, and IT and security teams can quarantine and study them for detailed forensics that they can then use for remediation and prevention of future attacks. The IoT deception solution should analyse the attack techniques, the lateral movement of the attack, which systems are infected and provide the signatures to stop the attack.
Businesses deploying or expanding their IoT networks should build a comprehensive adaptive defence strategy to protect these critical assets. Seven critical actions to build this defence include:
• Think through how data is handled - IT and security teams should develop policies that impose limits on the collection and retention of consumer data. This might include retaining only truncated credit card information, for example. Teams should also minimize the amount of data collected to reduce the potential for compromise.
• Build security in from the start – Make decisions about how information is collected, how long it’s retained and who can access it with security in mind. And, review these decisions periodically as the network grows and evolves.
• Protect the data via additional security measures – Security measures should go beyond simple safeguarding of the device, they should also include administrative, technical and physical safeguards of the entire network.
• Put in place policies to safeguard the network form third parties – Create documented processes for third-party service providers to handle critical data and network hardware and software. This can include limiting their exposure to the network and data, and requiring the vendor to provide notification of any breach.
• The type of data collected will inform security decisions – IT and security teams should understand in detail what individual and device identifiers the device will collect and transmit, actively and passively, from and about users. Teams should view this data in terms of whether the data is personal to the user or can identify the device location. They should ensure manufacturers have employed extra security considerations when developing a device that will collect sensitive consumer data, such as financial information, geolocation or information collected about high-risk groups such as children or the elderly.
• Check vendor performance claims – when deploying physical sensors or devices, IT and security teams should re-confirm that the products are protected as claimed by the vendor.
• Stay up to date on security trends – Prevent what you can, but also have the visibility into threats that have by-passed these systems. Make sure these systems can detect both known and unknown threats and that they deliver substantiated alerts and attack forensics to streamline incident response, remediation and ongoing attack prevention.
IoT holds the promise of enabling dramatic productivity enhancements, safety improvements, and cost reductions. However, securing the vast amounts of data generated in IoT environments and their open architectures carries significant risks that IT and security teams, company management, and boards of directors must understand and be proactive in managing. Deception technology is a valuable element of an adaptive defence strategy for IoT continuous threat management and will provide efficient and much need visibility into in-network threats for IoT environments that arise from the lack the standardization and the controls to secure it. Over time, enhancements will be made to better secure IoT networks and their critical data, however as we have seen, even in highly controlled enterprise environments, an attacker will still find clever ways to get in. Whether you are protecting aircraft flight data, traffic sensors, medical devices or one of the many forms that IoT will take, the best defence for IoT networks will continue to be one that has a balance of prevention and real-time detection to know what’s lurking in your network.