By 2020 the number of Internet of Things (IoT) devices installed across the world will be more than twice the figure for 2017, according to analyst firm Gartner. There are already around 8.4 billion connected devices today and Gartner says there will be 20.4 billion IoT devices deployed by 2020.
Unfortunately, these devices don’t just pose risks to their owners, because attackers have now learned how to compromise IoT devices and effectively weaponise them to use against others.
IoT devices are now deployed in a wide variety of ways and most organisations use them for various monitoring tasks, including environmental control systems, access control and monitoring including CCTV cameras and webcams, inventory tracking and automation, appliance sensors, wearable devices, as well as connected vehicle and fleet management GPS trackers.
IoT Security Severely Lacking
IoT devices are easy to deploy and use and this means there is very little concern about their security from those that set them up. One of the biggest worries is that they tend to be implemented outside of the IT-managed network or application deployments and consequently there can be gaps in security between an organisation’s infrastructure devices, network connections, web applications and their collection and analysis tools.
At the end of the day, IoT devices are fundamentally small computers that are often directly connected to the internet without firewalls. The biggest concern is the lack of security features that come with many IoT devices, including the fact most have default admin passwords that are rarely changed. This makes them an ideal target for attackers looking to build out botnets and last year saw a massive increase in the recruitment of IoT devices to launch attacks around the world.
The “IoT-sphere” is a network of various connected physical devices with ability to communicate wirelessly to collect and exchange data as well as cause damage. These devices utilise their embedded technology to communicate and sense or interact with their internal states or the external network to send or receive data. Security researchers are constantly finding severe vulnerabilities with IoT devices, including remote code execution, unauthorised access, authentication bypass, or issues that could lead to theft of unencrypted data or any Personally Identifiable Information (PII). There is an increased risk of a breach with the growth of IoT and under the new Australian privacy law that comes into effect on 23 February 2018, organisations will have to notify the Privacy Commissioner of any PII breaches.
As a consequence of the all of the breaches that have been blamed on IoT, the security standards and guidelines have now been greatly improved to help defend against cyber-attacks with secure encryption and communication of sensitive information, robust authentication and authorisation, intrusion detection and security monitoring, secure coding and physical device security. However, there are still many of the older devices out there that lack sufficient security or were not installed correctly.
Comprehensive Pre-emptive IoT testing
There are multiple security risks related to IoT devices such as obtaining unauthorised access to sensitive data or making unauthorised changes to data or a program. Therefore, being able to test IoT devices for vulnerabilities can pre-emptively reduce the costs of remediation upon breach – which have been widely reported to be more complex and costly than attacks on other parts of the IT infrastructure.
The following areas should be considered for pre-emptive testing:
Cryptography – The cryptography protocols and processes on IoT Device should not be enabled by default. Enabling only necessary cryptographic algorithms will help prevent intruders from gaining access to and control over the resources. Limit administrative account privileges and separate administrative actions and rights from standard user accounts to avoid the risk of misconfiguration by users.
Communications – Provide data confidentiality, authentication and integrity and replay protection based on secure and established standards for communication protocols. Ensure proper validation of peer credentials and public key based verification for peer communications.
Authentication & Authorisation – Organisations need to ensure secure authentication for administrative access and require configuration, identification and authentication of credentials on first-time use. It’s advised to implement a privileged user management system to limit access to administrative features and ensure that administrators can access and monitor systems and devices. This includes session monitoring of privileged sessions, protection of passwords to service accounts, and frequent password rotation.
Device Physical Security – Given the vast threat landscape of an IoT environment, which consists of application, device, network, encryption and API’s, the days of employing the ‘lock it all down’ approach are over. Organisations should install visible tamper evidence mechanisms and prevent unauthorised access to internal components on their IoT devices.
In today’s disruptive and highly competitive environment, organisations need to adapt and capitalise on new technologies that can make them more efficient, secure and stand out from the crowd. IoT is an area with enormous potential for enterprises in all verticals to be different, but the challenge will be to balance convenience with security. The simple fact is that security cannot be bolted on and must be baked in to the architecture to help reduce the costs of implementing it later.
Enterprise IT teams know that nothing is attack-proof and IoT deployments are now at a higher risk than traditional network and data centre deployments, but by carrying out pre-emptive testing using trusted experts, enterprises can greatly reduce the risk posed by IoT. Adopting a cost-effective approach that ensures that security best practices and expertise cover all enterprise IoT solutions as well as traditional IT will significantly reduce the risks.