This is a game I refuse to play. I think it’s possible to carefully communicate security risks associated with new technologies and trends without intentionally confusing the issue. The so-called “Internet of Things” is the one of the latest buzz words being used by vendors and service providers. It’s a relatively simple concept, yet represents a set of serious security concerns for your business.
The Internet of Things (or, IoT) is a blanket term used to describe all of the technology that being deployed in homes and businesses that isn’t normally considered as part of traditional IT infrastructure (things your IT staff already manage: computers, mobile devices, network equipment). These new devices connect to the public Internet and communicate in ways that make them “smarter”. These devices include security cameras, climate control, inventory logistics, power meters, and even “smart beds” in hospitals.
While the improvements in efficiency and cost savings that IoT devices can bring to a business cannot be ignored, it’s important to understand the risks associated with “smart” device. Despite being physically located on your premises, many IoT devices are managed “in the cloud”, meaning that the device communicates with an external entity (probably the vendor) across the public Internet, and that you (or your IT staff) manage and interact with it with a web browser or mobile application that also connects to this external entity. This opens up the attack surface (ways in which a cybercriminal will attack you) for both your network and the data you are trying to protect.
The IoT industry is quickly growing. To stay competitive, IoT vendors are developing new products rapidly, and are often not spending the time and resources necessary to develop secure software that runs on these devices. It can be difficult to design and develop a secure embedded device, especially one that requires so much connectivity. IoT devices are often “opaque” as well, meaning that your IT staff, however talented and experienced they are, may not have insight into how it works, nor have the ability to change its configuration in any useful way with regards to security.
At HORNE Cyber, our teams of hackers that we employ on network penetration tests have identified vulnerabilities in many of these devices on almost every single client we have tested over the past year (a sharp increase over previous years). Finding these vulnerabilities requires extensive security testing and reverse engineering experience. Mitigating these vulnerabilities requires designing your network to limit connectivity between IoT devices and sensitive systems and data.
Cybercriminals understand the Internet of Things all too well. The largest network denial of service attacks in history occurred in recent months, and the systems used to carry out these attacks were not powerful servers. These attacks were carried out by criminals that controlled thousands of network connected security cameras that they had hacked. Traditional network security monitoring solutions may not identify the latest IoT attacks, especially if you are not constantly updating those monitoring systems with information on vulnerabilities that your specific IoT devices might have.
My advice is to take advantage of new technologies that can help you become more efficient and profitable, but to only do so when you’ve carefully addressed the risk. Actively test your network for vulnerabilities, and monitor for intrusions by cybercriminals. See to it that you’re protected, and look forward to my future columns on other issues in cyber security.
Dr. Wesley McGrew is the Director of Cyber Operations at HORNE Cyber. Understanding that businesses are under constant cyberattack, and simultaneously held ultimately responsible for their own victimization, Wes stepped away from academic research in order to develop talent and services that help organizations improve their resilience. He has made a career out of studying attacker techniques and applying them in offense-oriented services like penetration testing that identify vulnerabilities before they are successfully exploited by real criminals.