Organizations are increasing their adoption of devices connected to the Internet-of-Things (IoT). Gartner predicts that by the end of 2020, 5.8 billion enterprise and automotive IoT endpoints will have come online. However, this rise in adoption has become a cybersecurity concern. IoT devices are being actively targeted by hackers and threat groups. Often, these endpoints are poorly secured, enabling hackers to implant malware or hijack them for use as part of larger cyberattack campaigns.
Recently, security professionals have called attention to Ripple20, a set of vulnerabilities affecting the software found in potentially hundreds of millions of IoT devices. The vulnerabilities include remote code execution flaws that allow attackers to run commands on an affected device. Devices from manufacturers including Intel, HP, and Schneider Electric are suspected to contain these flaws.
As such, it’s crucial for all organizations to carry out comprehensive IT audits to determine the devices, systems, and applications that comprise their infrastructure and to perform security validation to check if their defensive measures can actually protect them from threats. Considering how IoT devices are now part of infrastructure, identifying vulnerable IoT devices and checking their level of protection are now vital to any modern cybersecurity strategy.
Adoption Is on the Rise
Organizations look to leverage IoT to make them more efficient. Industrial facilities are among those putting premium on IoT. Networked sensors and smart devices are not only enabling greater productivity through better automation; these devices are also being used to fuel big data and analytics efforts, the insights from which are leading to more efficiencies.
Companies with more conventional workplaces are also benefiting from the IoT. Connectivity allows work to be done remotely across a variety of applications and devices. Even smaller offices with their simple use of smart thermostats can save on costs. Nest claims to save users around 15 percent in cooling expenses.
The ongoing coronavirus pandemic may have limited activities in these workplaces. However, it can be argued that even home devices can now be considered IoT concerns for some companies. Some companies are allowing remote work through employees’ home computers and networks meaning the smart devices and appliances are becoming part of the same networks that access enterprise systems and applications.
IoT as a Security Concern
Security has now become a key security concern as more IoT devices find their way into an organization’s infrastructure. Arguably, the rush to bring to market low-cost IoT devices to cater to increasing demand contributed to these issues. To bring costs down, manufacturers use less powerful hardware on their devices and leave out security features in the firmware that can prevent hackers from hijacking them.
Human lapses and errors are also to blame. Poor configuration and security practices leave these devices exposed to attacks. The Mirai malware strain, responsible for the largest distributed denial-of-service (DDOS) attacks on record, uses password dictionaries including a list of common default administration passwords to try and take over devices. Many users continue to overlook changing these default values with more secure ones, allowing malware to spread and thrive.
What the recent Ripple20 issue has also underscored is that it only takes one weak link in the whole chain for attackers to be able exploit a massive number of devices, putting many organizations at risk. Falling victim to a cyberattack today can derail any organization due to downtime, data loss, legal issues, and costs of recovery and remediation.
Because of the diversity of devices comprising the IoT, there’s no singular solution that can secure all of the devices used by organizations. Securing IoT and the rest of the network means formulating a comprehensive security strategy that attempts to cover all the possible attack vectors and not just these devices.
This typically means installing endpoint security solutions like antiviruses and antimalware on workstations to stop malware spread, using firewalls to prevent malicious traffic from reaching the network, and enabling spam filters to mitigate phishing attacks. Implementing stringent access management of portals and applications also helps stop any unauthorized access.
But what’s critical is for organizations to actually test their defenses through security validation. It’s entirely possible, even with the adoption of various security solutions, that gaps would still be present in their defensive perimeter. Tools and solutions can fail, or missteps in configuration and deployment can occur. For example, even if endpoints are equipped with capable antimalware, if a hacker is able to remotely access these devices due to weak passwords, then they would still be vulnerable to these attacks.
As such, security validation must be done. Vulnerability scanners can check the state of each and every device and network appliance in use across an organization’s network. Penetration tests and simulated attacks can be also done where organizations launch attacks on their own systems to probe which vectors are most vulnerable. These are usually done by security specialists who use methods similar to those used by hackers to breach networks.
Newer solutions such as breach and attack simulation platforms simplify these tests through easy-to-use interfaces and automation. The results from validation provide actionable insights for organizations to use in improving their security.
Making IoT Adoption Work
So far, the IoT has shown that it can be a double-edged sword for organizations. They have already proven to benefit companies by making them more productive and efficient, but they also have shown that they can be the weak links in their overall security.
Following best practices in implementation such as securing access to these devices, deploying capable security tools, and validating these measures through comprehensive and stringent tests would help minimize these risks. This way, companies can enjoy the benefits of what the IoT can bring, while ensuring that their use doesn’t leave them exposed to cyberattacks.