The Internet of Things (IoT) is generating interest and excitement in many business sectors, but it's simultaneously creating headaches for security professionals. As the types and number of devices being connected to corporate networks grows, preventing compromises becomes increasingly difficult.
Much of the challenge stems from the rate of adoption of IoT devices. Little more than a technical novelty just a few short years ago, they're now appearing in an array of different forms. Examples include video cameras and monitoring sensors, autonomous machines and cars, medical devices and appliances.
Often, IoT devices have been rushed to market in an effort by vendors to secure market share. What's concerning is that, in many cases, insufficient attention has been given to security.
With new devices constantly appearing, the number being used within corporate infrastructures can only increase. This, in turn, requires new approaches to security to ensure core data and applications continue to remain protected.
Be proactive, not reactive
While there appears to be growing awareness of the challenges posed by IoT devices, many organisations are tending to take a reactive rather than proactive approach to their security. IT teams are often content to wait until security flaws are discovered and only then consider a fix.
Indeed, a recent survey by the US-based SANS Institute on endpoint security found, 27 per cent of breach detections are discovered through a third-party notification. This means some victims learn about problems from the news media, a blog post or a notice from a law enforcement agency.
Worryingly, 7 per cent of respondents to the survey said they had a greater than a 24-hour response time when breaches had been discovered. This is very reactive and can have significant flow-on effects. The survey also found the average dwell time of exploits prior to their discovery is 205 days.
The SANS Institute survey also found almost 50 per cent of data stolen during security breaches is user credentials, which can be used by criminals to enter other parts of an infrastructure or cause damage or disruption. There have already been cases of IoT devices compromising credentials and this is likely to be an increasing trend.
Understand the risks
IoT devices come in many shapes and sizes. Some are network computers, while others are little more than a sensor and a network connection that allows them to collect and exchange data.
Some, such as security cameras, televisions, electronic locks and lights, can be remotely controlled. This creates the potential for them to fall under the control of an attacker who could take over their operation. For example, the microphone in an internet-connected television in a boardroom could be remotely activated, thereby allowing an attacker to monitor conversations. The same thing could occur within an internet-connected vehicle. The hacking of electronic locks could make buildings insecure, while remote operation of lights could cause disruption or safety concerns.
As the range of devices being used increases, the potential for compromise grows too. For this reason, security teams need to be aware of the implications of the IoT and take steps to ensure anything connected to their corporate network remains secure at all times.
Each new device should be carefully reviewed before being allowed to connect to the network and, where possible, endpoint security software installed. This might require the use of skilled personnel from outside the organisation who have the knowledge needed to accurately assess each device.
While the majority of security attacks occurring are still targeting more traditional endpoints, such as PCs and servers, this will change as the number of IoT devices climbs. As a result, strategies will have to continue to evolve to ensure corporate IT infrastructures remain secure.