Posted: 3 Min ReadFeature Stories

Why Smart Devices Need Even Smarter Security

Enterprises face a world of morphing endpoints where they must defend against cyber attacks that target traditionally unconnected devices

The introduction of a new generation of connected, intelligent devices into the workplace has helped businesses become more productive, serve customers more efficiently and expand into new markets.

But as more smart devices join the burgeoning Internet of Things (IoT), the transition has scrambled the historical notion of the corporate endpoint. We’ve moved beyond the realm of desktop and laptop computers, or even mobile phones and tablets. Millions of connected “things” now populate far-flung enterprise networks, sending and receiving valuable data across the internet.

However, digital disruption also comes with a price.

Each new endpoint also constitutes a potential entry point for cyber criminals. From a security perspective, that raises all sorts of nasty sci-fi scenarios. We got a sneak peek at one of them last year when digital video cameras compromised by the Mirai botnet powered massive distributed denial-of-service (DDoS) attacks against key parts of the Internet.

The incident stunned the security world and focused attention on the success of attackers at finding new ways to infect devices that weren’t susceptible previously. Indeed, enterprises now face the threat of defending against attacks that begin with hacks of management interfaces to traditionally unconnected devices such as fish tanks and coffee machines.

For IT professionals, the emergence of the IoT raises many challenges, not the least being how to handle security for endpoints, networks and data in a world of myriad connected devices. In a world of connected watches and office equipment to kitchen appliances and smart washing machines - attacks can come from any vector. Simply put, we’re all connected.

Historic Transition

The good news is that there’s been better collaboration around industry standards for IoT security. The bad news is that progress remains slow.

In the meantime, the market’s flooded with literally hundreds of protocols that govern aspects of the IoT ecosystem. Unfortunately, in the absence of de facto standards or a governing body, many IoT manufacturers continue to ship products without adequately designing security into their devices.

Still, that’s still not slowing down the pace of this historic transition. Organizations view this as a competitive necessity and are adding IoT devices to their operations at a record clip. Gartner estimates that about 8.4 billion IoT devices will be in operation globally by the end of this year, up a stunning 31% from 2016.

“IoT is a game-changing event in the history of IT and organizations increasingly view it as strategic to their operations," noted Kevin Haley, director of product management for security response at Symantec, in a recent article.

With so many IoT devices now in use, it’s a given that attackers will focus on these weak points to breach otherwise well-defended networks

But Haley also noted that IoT puts added responsibility on organizations and individuals “to do better when it comes to cyber security." Indeed, with so many IoT devices now in use, it’s a given that attackers will focus on these weak points to breach otherwise well-defended networks.

There’s particular risk to enterprises from consumer devices that either migrate into workplaces or wind up being hijacked to attack organizations. In one of the more spectacular incidents, attackers reportedly made off with more than 10 gigabytes of data after compromising an internet-connected fish tank and then using the connection to breach a North American casino's network. While few confirmed examples of similar attacks exist at this point, the likelihood is that they will become more commonplace as attackers refine their methods.

"We know that there are even smaller devices on the network that are just as vulnerable," according to security researcher Joe Stewart. "You have no idea what protocol they are speaking, so they may be using TLS or SSL to encrypt the connection."

What’s more, the practice of placing a lightweight agent on the device will not work for many IoT things; many don’t have enough processing power nor memory to handle such an agent.

A good first step is to determine how many devices are in the network and start formulating policy as add get added to the network. Organizations can complement their endpoint management with network analysis that focuses on identifying anomalous traffic. Another popular tactic is to place enticing systems and data on the network, known as honeypots or canaries, to detect breaches as soon as attackers start trying to move through the network.

On a more strategic level, effective IoT security also depends on having a strong, multi-layered security foundation that can withstand the expected onslaught; though the “big one” hasn’t yet hit, rest assured it’s on the way. As Stewart notes, so many IoT devices in use nowadays are vulnerable that attacks against these morphing endpoints are a foregone conclusion.

If defenders aren’t prepared, he cautioned, they could find themselves facing “a nightmare scenario.”

About the Author

Robert Lemos

Journalist

Robert Lemos is an award-winning freelance journalist who has covered information security, cybercrime and technology's impact on society for two decades. He has covered cybercrime and security technology for almost two dozen publications.

Want to comment on this post?

We encourage you to share your thoughts on your favorite social platform.