How to wake the enterprise from IoT security nightmares

The IoT security market will reach a valuation of $36.95 billion by 2021, says data from a Marketsandmarkets.com analyst report. Where the cyber security mayhem grows, so flows the security market money.

In 2017, experts predict that gaping IoT security holes will lead to the destruction of critical infrastructure and increases in competitive intelligence gathering and intellectual property theft. 2017 will see more DDoS attacks of the magnitude that brought down the Dyn Domain Name System service and many high-profile web domains with it.

CSO dives into top security nightmares stemming from the sheer multiplication, vulnerability, capacity, reach, and scale of IoT, delivering solutions and insights from IoT security researchers, academics, and experts.

A top five collection of IoT security nightmares

Nightmare No. 1: 5 million new IoT devices added daily equals as many and more new security vulnerabilities each day. In 2016, the world connected 5.5 million new things to the internet daily, according to Gartner. The more the IoT devices, the more the security vulnerabilities, given that there are typically multiple security holes per device, and the broader the attack surface, since these connected gadgets are popping up everywhere, says Roberto Tamassia, Ph.D., executive master in cybersecurity at Brown University.

“Factors that contribute to IoT device vulnerabilities include device manufacturers who don’t have extensive cyber security experience, computing power and storage constraints that limit the available security mechanisms, cumbersome software update procedures, and the lack of user awareness of the security threats posed by these devices,” explains Tamassia.

Nightmare No. 2: IoT devices are a very attractive and powerful form of ubiquitous, low-hanging fruit for attackers. The growing number of easily hacked IoT consumer products is leading to a greater likelihood, frequency, and severity of IoT security nightmare scenarios including attacks on enterprise data, plants and equipment, and employees as well as consumers.

It is not hard for an attacker to gain control of entire networks starting from the compromise of any one of the many vulnerable consumer IoT devices; the popular NEST thermostat presents one example. In 2015, upon accessing the NEST’s mini USB port, TrapX Security engineers used an ARP spoofing app to spoof the ARP address for the network gateway as part of a man-in-the-middle (MITM) attack, says Moshe Ben-Simon, co-founder, TrapX Security. Hackers use MITM attacks to gain increasing control of systems on either or both ends of the communication, including enterprise networks.

Even if you find the NEST thermostat in the home and not on enterprise property, close to company networks, the massive remote and mobile workforce ensures that criminal hackers’ control of home computer systems ultimately leads to attacks on the corporate systems that employees connect to from home. A NEST hack is only one way that innocent IoT devices can open entire networks and organizations to the high risk of compromise, theft, and perhaps disruption of ongoing operations, says Ben-Simon, former CISO at Dexia-Israel Bank. With control of IoT in the home or the enterprise, hackers can not only steal data but put life, limb, and property at work or away in jeopardy.

Nightmare No. 3: IoT is key to unlocking mountains of private consumer data, adding to hackers’ targets and attack vectors and enabling them to easily guess common passwords used by key business, government, military, political and cultural targets, according to Ryan Manship, security practice director at RedTeam Security.

IoT collects consumer data to aid companies with targeted marketing by building a digital representation of each consumer’s preferences and features, says Manship. Attackers steal and combine the different data to reveal consumer interests and habits, which they use to guess user passwords and answers to security questions so they can log into the enterprise where employees have reused the same passcodes, explains Manship, a contributor to the SANS Securing The Human (STH) training program.

Nightmare No. 4: The increasing access to SCADA and industrial controls through IoT makes broad devastation possible. When IoT such as industrial control systems connect to the internet, it becomes extremely challenging to protect utilities and national infrastructure against attack.

Examples of such attacks include the recent hack of a Ukrainian power plant, leading to power outages for tens of thousands of people, mentions Ryan Spanier, director of research, Kudelski Security. “In this attack, hackers targeted the management system of the critical infrastructure to enable the disruption of service. This is a fairly small-scale example of the problems an attack on critical infrastructure could create,” says Spanier.

Nightmare No. 5: Prevalent and largely open IoT makes the simultaneous “Fire Sale” attacks on every agency, service, and utility as depicted in the movie, “Live Free or Die Hard” easier than ever. IoT makes it possible for hackers to create and use botnets on such a large scale that taking down many kinds of infrastructure at once using DDoS attacks becomes relatively routine.

“Imagine attackers using 10- to 15- percent of the IoT devices in the U.S. to form a DDoS attack to take down all internet traffic on Wall Street,” suggests Ben-Simon, formerly of the Israeli Air Force Network and Security Department.

Mitigating the top five and many other IoT security concerns

By 2020, Gartner expects that the 5.5 million IoT devices connected-per-day in 2016 will grow to 20.8 billion IoT devices in use in total. There is little slowing the advance of these devices.

To safeguard that hardware, enterprises should first weigh their convenience and efficiency advantages against the risks, institute security policies and procedures that cover each type of device, and include IoT security training in employee security education programs, says Tamassia. Behavior-based and IDS/IPS security technologies will have to envelop the potential bad behavior of IoT devices as well.

When an enterprise installs and uses a consumer device such as a NEST thermostat, they need to implement new second generation firewalls, allow only specified IP addresses to connect, apply second generation endpoint security, and use deception technology, says Ben-Simon. The appearance of NEST and other devices in the home and the repercussions are more reasons to educate employees and increase the security of their connections and communications to work.

No matter how attackers guess passwords and answers to secret questions, using additional authentication can keep sites secure. Methods such as using PINs and sending codes to user email to confirm identity are great examples. As approaches to guessing passwords change, the enterprise must adapt. “Enterprises must utilize security professionals to understand the risks of new technology, to ensure their technology is updated continuously (not introducing new risk), and to act when they identify new risks,” says Manship.

It is challenging to secure SCADA and legacy industrial control systems because these tend to be closed systems without even the fundamental facility for cyber security mechanisms. “At a minimum, enterprises should isolate these systems on their network, closely monitor them, and control access,” says Spanier.

[ RELATED: The SCADA Security Survival Guide ]

“Industrial control systems have high availability requirements – meaning that downtime for an upgrade is unacceptable. In an ideal world, these systems would be enhanced with state-of-the-art cyber security defenses, isolated from the internet,” says Spanier, also formerly of GTRI.

As for putting out fire sale fires, securing IoT against use in DDoS attacks includes securing the devices while assuming the network is hostile and securing the network while assuming that the devices are hostile. This approach falls in line with the least privilege zero trust model of security.

Organizations can mitigate hackers who add IoT to botnets by upping the security game for networks that contain IoT. “Government agencies and enterprises need to examine security solutions that work inside the corporate network. New technologies that use deception enable organizations to identify attackers already inside a network that also has IoT devices attached to it,” says Ben-Simon.

Considering additional progress toward securing IoT

The future of IoT presents security challenges, but also solutions. Here are three firm recommendations from Tamassia, one of the 360 most cited computer science authors by Thomson Scientific, Institute for Scientific Information (ISI):

• First, the Federal Trade Commission should fine companies that sell appliances with poor security, such as back doors, until they recall and repair their products.
• Second, legislators should write laws that require that IoT appliances periodically restore the software to its initial state. This requirement would kick out any malware that managed to penetrate the appliance.
• Third, new IoT hardware could have IPv6 addresses in a restricted range, making it easier for any domain owner that is under a DDoS attack to have its ISP reject all packets directed toward it from IoT appliances.