IoT: What You Need to Know About Risk and Responsibility

I try to avoid “buzz words” and jargon; information security is complex enough without them. The security industry is overrun with companies that intend to confuse you with marketing bullet points, wrapped up as new concepts and trends, in the hopes that you will cut them a check. Meanwhile, you are the one that will bear the ultimate responsibility for risks they know you don’t understand.

This is a game I refuse to play. I think it’s possible to carefully communicate security risks associated with new technologies and trends without intentionally confusing the issue. The so-called “Internet of Things” is the one of the latest buzz words being used by vendors and service providers. It’s a relatively simple concept, yet represents a set of serious security concerns for your business.

The Internet of Things (or, IoT) is a blanket term used to describe all of the technology that is being deployed in homes and businesses. That is, technology that isn’t normally considered part of traditional IT infrastructure — things your IT staff already manage, like computers, mobile devices, network equipment, etc. These new devices connect to the public Internet and communicate in ways that make them “smarter”. They include security cameras, climate control, inventory logistics, power meters, and even “smart beds” in hospitals.

While the improvements in efficiency and cost savings that IoT devices can bring to a business cannot be ignored, it’s important to understand the risks associated with “smart” devices. Despite being physically located on your premises, many IoT devices are managed “in the cloud”, meaning that the device communicates with an external entity (probably the vendor) across the public Internet, and that you (or your IT staff) manage and interact with it using a web browser or mobile application that also connects to this external entity. This opens up the attack surface (ways in which a cybercriminal can attack you) for both your network and the data you’re trying to protect.

The IoT industry is quickly growing. To stay competitive, IoT vendors are developing new products rapidly, and are often not spending the time and resources necessary to develop secure software that runs on these devices. It can be difficult to design and develop a secure embedded device, especially one that requires so much connectivity. IoT devices are often “opaque” as well, meaning that your IT staff, however talented and experienced they are, may not have insight into how it works, nor have the ability to change its configuration in any useful way with regards to security.

The teams of hackers that we employ for network penetration tests have identified vulnerabilities in many of these devices on almost every single client we have tested over the past year (a sharp increase over previous years). Mitigating these vulnerabilities requires designing your network to limit connectivity between IoT devices and sensitive systems and data.

Cybercriminals understand the Internet of Things all too well. The largest network denial of service attacks in history occurred in recent months, and the systems used to carry out these attacks were not powerful servers. These attacks were carried out by criminals that controlled thousands of network connected security cameras that they had hacked. Traditional network security monitoring solutions may not identify the latest IoT attacks, especially if you’re not constantly updating those monitoring systems with information on the vulnerabilities associated with your specific IoT devices.

My advice is to take advantage of new technologies that can help you become more efficient and profitable, but to only do so when you’ve carefully addressed the risk. Actively test your network for vulnerabilities, and monitor for intrusions by cybercriminals. See to it that you’re protected, and look forward to my future columns on other issues in cyber security.