The Internet of Things is riddled with security challenges. Cybercriminals know this too, and have often been quicker to take advantage of vulnerabilities than we have been to fix them. For instance, according to Fortinet's Threat Landscape Report for the second quarter of 2017, 90% of organizations recorded attacks that targeted system and device vulnerabilities that were at least three years old, even though updates and patches had long been available. It's even more alarming that 60% of organizations reported attacks aimed at vulnerabilities that were 10 or more years old.
Today, the billions of online IoT devices present an even more daunting challenge because they generally don't receive the level of control, visibility, and protection that traditional systems receive. Coupled with widespread automation-based attacks, the potential for damage is even greater. Recent developments, outlined below, reveal why it's time to take IoT security seriously.
2016's Mirai malware was the first IoT botnet to lead to an unprecedentedly massive distributed denial-of-service attack. And this year brought us new generations of IoT-based attacks, like Hajime and Poison Ivy, that have multiple toolkits built into them.Mirai was successful, but it wasn't built to be smart. Hajime is more robust because it's automated. It self-propagates like a ransomworm and is difficult to shut down. Even more alarming is that Hajime is a multivector attack that can target different operating systems and supports multiple payloads and binaries, making it cross-platform. Hajime also removes firewall rules that allow the device to talk to the Internet service provider.
Adding to the focus on IoT-based attacks, security researchers have recently been monitoring a new IoT botnet named Reaper that has emerged over the past few weeks. While its ability to enlist vulnerable IoT devices has been slow, it could potentially affect millions of devices that have been identified as potential targets. Unlike Mirai, which used password cracking to enlist devices into its botnet campaign, Reaper is designed to exploit known vulnerabilities in targeted IoT devices from a variety of different manufacturers, using a vulnerability list that is being actively updated. It is then able to use these infected devices to launch a variety of attacks, including SYN-floods, ACK-floods, HTTP floods, and because it includes more than 100 DNS open resolvers in its LUA sample, its ability to carry out DNS reflection/amplification attacks is of real concern as well.
In a worst-case scenario, an IoT-based attack using increasingly flexible and sophisticated botnet systems, such as the ones we have seen over the past year, could potentially cause tens of millions of devices to go dark and significantly disrupt online businesses and transactions.
Mirai was an IoT cybersecurity wake-up call. We all knew that the IoT was insecure, and this botnet provided a glaring real-world example. As a result, individuals, organizations, and regulatory bodies were motivated to accelerate the process of making IoT vendors accountable for their products.
In January 2017, the Federal Trade Commission took the bold step of filing a lawsuit against an IoT manufacturer. The suit alleges that a global manufacturer of computer networking equipment and other connected devices "made deceptive claims about the security of its products and engaged in unfair practices that put consumers' privacy at risk."
Meanwhile, the US Commerce Department's National Telecommunications and Information Administration has assembled a working group to develop guidance for IoT device manufacturers to better inform consumers about security updates. This group came up with "key elements" that manufacturers should consider conveying to consumers to help them make better-informed purchasing and use decisions. These key elements include whether a device can receive security updates, how it will receive them, and when support for the device would end.
More recently, the Internet of Things Cybersecurity Act of 2017 was introduced into the U.S. Senate as an effort to establish industry-standard protocols and require IoT manufacturers to disclose and update vulnerabilities.
Security updates and standards are only one aspect of imposing IoT cybersecurity and manufacturer accountability, but they're a good start. These developments are a positive sign that the industry and those who regulate it are serious about creating an environment of accountability.
Many CSOs ask me, "If you could give me one piece of advice on IoT security, what would it be?" The answer is, "Know your digital assets." You have to attain visibility before implementing protection, because you can't protect what you can't see. Every organization needs a constantly updated inventory of the assets on its network, including services. Risk analysis and security development is then based on the answer to the question, "If that data or service were to go offline, how much would it cost in revenue and damage to the brand?"
With that in mind, here are four recommendations for addressing the IoT's cybersecurity challenges.
First of all, because advanced threats like Hajime and WannaCry were so successful at targeting known vulnerabilities, this has become an increasingly popular attack vector for cybercriminals. As a result, patch management is essential. WannaCry targeted a vulnerability for which a patch had been available for more than two months. Even worse, Petya followed a few weeks later targeting the exact same vulnerability and still managed to affect millions of devices. And the new Reaper IoT botnet can simultaneously target multiple vulnerabilities across a number of manufacturers using a constantly updated vulnerability list. Organizations that are spared the effects of these sorts of attacks all have one thing in common - a strong cyber-hygiene policy that includes applying patches as soon as they're available.
But physical patching is only part of the solution. There are billions of vulnerable devices out there with no patches in sight. This is where intrusion-prevention systems (IPS) are essential. IPS is a must-have part of your security hygiene strategy because it can provide virtual patching to block hacks and attacks that target IoT and other vulnerable devices.
Second, use redundancy segmentation for your data backups. Scan your backups to make sure they're clean, and make sure that they're segmented off-network. Segmentation will also help protect against ransom-of-service attacks, which we expect to see in the coming year.
Third, focus on visibility. Perimeter defenses alone aren't enough. Once the perimeter has been breached, many organizations have little visibility into what an attacker or malware is doing. It's critical that you start by understanding who your attackers are, become familiar with their techniques, tactics, and procedures, and understand their objectives and motivations. Then drive visibility and control deep into the core of your network and out to its furthermost edges, including remote devices and the cloud. Only then can you intelligently defend your network.
Finally, it's time to tighten up the time to defense. Proactive solutions need to be tied together. You need to take a hard look at your data centers and customer sites for ways to integrate all the different pieces from different providers. Try to reduce that complexity by further integrating devices, consolidating existing security solutions, and automating interoperability between your defense systems. This approach is critical if you want to speed up your time to defense.
Original article published in Dark Reading and can be found here.
Our paper on “Understanding the IoT Explosion and Its Impact on Enterprise Security” provides more details on the security risks of IoT and what organizations can do to address them.