5 Biggest IoT Security Issues For Businesses In 2019
IoT Growth Brings New Security Problems
The forecasts may vary, but the story is largely the same: the number of Internet of Things devices is set to grow at a breakneck speed within the next decade. And with all the new endpoints, many of them landing in the workplace, come a whole host of new security issues for businesses. These IoT security issues range from a growing sophistication of attacks to the way businesses continue to struggle identifying all the devices on their networks. CRN spoke to two IoT security experts — Alon Levin, vice president of product management at VDOO, and Joe Lea, vice president of product at Armis — about five of the biggest IoT security issues for businesses in 2019, which are explained in the following slides.
IoT Attacks Become More Sophisticated
In fall 2016, the Mirai botnet took control of legions of unsecured connected devices to send a massive distributed denial-of-service attack against a DNS provider, bringing much of the Internet to a crawl. Since then, attacks against Internet of Things devices and networks have become much more sophisticated, according to Alon Levin of VDOO and Joe Lea of Armis. Two years ago, an attack against a router, for instance, could lose its foothold once a user resets the device. "In 2018, we've started to see that change," Levin said, "where attackers are able to maintain persistence and create multi-stage attacks. Lea said attacks are becoming more advanced, particularly in cases where the data is valuable, such as medical devices in a hospital. "We regularly see people get into those devices and move laterally or use the devices themselves as a way of exfiltrating data, feeding it off the network through something like a printer that has a wireless hotspot," he said.
The Threat Vector Continues To Grow
The kinds of IoT attacks aren't just growing more sophisticated in behavior, however. They are also evolving to impact more kinds of devices, according Levin of VDOO. This means attackers are, in some cases, taking existing attack methods and updating them to cover different kinds of devices across a variety of manufacturers. This means businesses need to find ways to account for the growing threat vector. "What we've seen recently is the fact that for zero-day vulnerabilities we find in one device turns out to be something that is not identical but close in alignment to another zero-day vulnerability in another device," Levin said.
Many IoT Devices Lack Proper Security
Many IoT devices lack proper security features, which means that it's up to businesses and their IT service providers to fill the gap. A recent study by university researchers, for instance, found that many smartphone apps designed to control and configure IoT devices lack encryption. "People are recognizing that these devices have vulnerable operating systems in them and they are being exploited," said Lea. The problem, according to the Armis executive, is that device manufacturers are operating "in an environment where they are managing their businesses for profitability not security." The result is that the responsibility gets pushed down to the end user.
Many Enterprises Lack Complete Network Visibility
As IoT attacks become more sophisticated and the threat vector grows, businesses are making themselves vulnerable simply because they lack the ability to see and manage all of the devices on their network, whether it's an IoT device, a smartphone or a laptop brought in by an employee. "As shocking as it is, when we go into large enterprise environments, there's 40 percent of the devices that they are unaware of," Lea of Armis said. To tackle this problem, vendors like Armis provide a software platform can identify every device on the network, continuously profile them for anomalies and malicious activity and disconnect them from the network when necessary.
Keeping Track Of A Device's Bill Of Materials
An underlying problem that can make IoT security difficult to address are all the components within a device, both from a hardware and software perspective, according to Levin of VDOO. "A total lack of visibility to bill of materials essentially leads to not being able to identify known vulnerabilities, not being aware of new potential vulnerabilities and a lack of understanding that a certain device needs to be upgraded," he said. This is especially a problem on the software side, with many IoT devices running open source software. Levin's startup, VDOO, provides a solution for identifying software vulnerabilities in devices and recommending proper security measures.