As IoT Becomes a Business Necessity, How Can IT Leaders Keep Their Organisation Safe?
In insight / By Phil Muncaster / 08 August 2017
The Internet of Things (IoT) is changing the world, one device at a time. There will be an estimated 8.4 billion connected “things” in use this year, helping businesses become more agile, efficient and cost effective, and offering them new ways to deliver customer-facing services. For consumers, the IoT offers us all a chance to become healthier, happier and more productive. But there are challenges: the more connectivity and computing you introduce to an organisation, the more opportunities you offer hackers to compromise these systems.
Every month a new IoT vulnerability or cyber threat seems to appear. The discovery of the “Devil’s Ivy” flaw in July could have a profound impact on businesses and users, and should persuade IT bosses to exercise extreme caution when buying or sanctioning use of IoT in the workplace.
A devilish threat
Devil’s Ivy was discovered last month by IoT research firm Senrio when it was assessing security cameras made by Axis Communications; the world’s biggest vendor of such systems. If exploited, the vulnerability could allow a hacker to remotely control a camera’s video feed.
“Since these cameras are meant to secure something, like a bank lobby, this could lead to collection of sensitive information or prevent a crime from being observed or recorded,” the firm explained.
Unfortunately, the bug wasn’t just found in 249 separate camera models from the vendor, which would have been bad enough. Because it actually lies in an open source third-party toolkit called gSOAP (Simple Object Access Protocol) the vulnerability could affect tens of millions of third party IoT devices and software products to a lesser or greater extent.
The discovery has highlighted once again the precarious nature of the emerging IoT universe. The Internet of Things is creeping ever further into mission critical systems: from manufacturing to healthcare, transportation to government. Yet most systems have been designed with usability and time-to-market in mind, rather than security. This could be a big mistake.
A hacker’s dream
It doesn’t take much to work out how hackers could cash in. There are endless opportunities for cybercriminals to make and extort money, hacktivist to generate publicity for their cause, and state-sponsored hackers to steal sensitive data via compromised systems. Unlike many traditional IT systems, IoT devices have a unique place in the physical world. Thus, a connected car could be hacked and remotely controlled to effect an assassination; manufacturing facilities could be attacked by a rival to cause chaos on the production line; or the manufacturer of connected pacemakers could be blackmailed with the threat of switching off patients’ devices.
That’s not all. Each IoT device represents a potentially unsecured endpoint via which hackers could access the corporate network and all the sensitive IP and customer data stored on such systems. That means IT managers must not only be careful about which internal systems and devices they buy, but also which they allow staff to bring in and connect to the network. As the Mirai DDoS outages last year taught us, many consumer-grade devices are poorly designed and configured. Often all hackers need to do is simply scan the internet and they’ll find which systems can be compromised.
A Trend Micro study from earlier this year revealed that millions of IoT devices, databases, servers and industrial control systems in the US are exposed in this way.
Where are the bugs?
The good news is that consumers are beginning to understand the seriousness of the problem. A global study from security firm Irdeto last month revealed that 78% of consumers are aware that an IoT device on their home Wi-Fi network could be targeted by a hacker. Some 90% argued that security should be built into products from the outset. This echoes research from the non-profit propel Foundation, which found last year that 42% of consumers would prefer to pay more for more secure devices (42%), and a third (32%) said they’d buy if there was more secure kit on the market. Only a quarter (26%) claimed they weren’t concerned at all about the security of devices.
However, in the workplace, it’s up to IT leaders to mitigate risk.
So where are the key areas of vulnerability? The OWASP Top 10 is a fantastic place to start, pointing out the major attack surface areas. Part of the problem with the Internet of Things is that there are many moving parts, allowing hackers multiple opportunities to compromise systems. These include network traffic, back-end APIs, the mobile application, update mechanism, device firmware, and web interface.
Another issue is that when vulnerabilities are found, manufacturers can be slow to implement a fix, and if that update is not issued over-the-air automatically, there’s a good chance end-customers will never patch.
Somewhere to start
Given the sheer volume and variety of devices, it can be difficult knowing where to start when it comes to IoT security. But here’s a quick check-list which should help mitigate some of the most common causes of IoT-related cybersecurity risk.
- With OWASP in mind, vet any IoT kit pre-purchase. You need to know what security protocols they support, how easy they are to patch, and whether there are any obvious security issues which can’t be resolved
- Change the default username/password immediately if not prompted, using strong and unique credentials
- Always ensure device firmware is fully up-to-date
- Encrypt any data stored on smart/connected devices like NAS
- Continuous monitoring of network traffic will help spot unusual patterns/intrusion attempts
- Don’t allow any employee devices to connect to the corporate network until they meet a strict set of security criteria
- Turn off UPnP, which can expose some devices to attack
- Educate employees about possible security risks and how to use devices safely
As a managed IT services provider, Nasstar is constantly reviewing its security posture based on the current and predicted threat landscape to ensure clients are protected from threats.
Nasstar has many layers of security protecting its hosted platforms but it is crucial that its clients creates a cyber savvy culture within their organisation. That comes from the top down, and it spreads via effective training and regular updates to ensure best practice is always front of mind for staff.
That’s why as a managed service provider, Nasstar puts a major focus on education and training – of our own staff and those of our clients, in things like Cyber Essentials. Security is present at every layer of our organisation, and it can be in yours too.
For more information read our short guide on the ways that Nasstar protects customer services.