By Richard Arneson
Apologies for the headline in the event you’ll soon label it as an act of sensationalism, but the topic of today’s blog needs to be considered, then forwarded, if you or others you know have implemented, or are in the planning stages of implementing, your organization’s IoT strategy. The IT industry is rife with two- to four-lettered initialisms or acronyms―SDN, BYOD, SLAM, SAN, BGT, CRC, IBT… we’ll stop there; this might be a list that is actually never-ending.
Unlike AI (there’s another one), which for some conjures up negative images, IoT (Internet of Things) is rarely the subject of similar scrutiny. IoT is exciting—sexy by IT standards—for several reasons, and one of the biggest is its ability of enable business owners to reach out to customers who might be standing outside their place of business, whether a storefront, bar or restaurant, at that very moment. Yes, when a technology can drive revenue, it’s always going to be a hot topic. But with the good comes bad, at least in the IT industry. And that bad usually falls under the heading Security. IoT, sadly, is no different, and the following represent the greatest present threats to IoT security.
The most prevalent types of security threats that affect IoT
Identify thievery requires one (1) primary element―lots and lots of data. Now consider the number of IoT devices at play in addition to Smart phones―doorbells, thermostats, utility meters, watches, et al. They’re all connected to networks, which immediately broadens your attack surface. With personal data comes information, which can usher in a host of vulnerabilities. If patches or updates aren’t downloaded, or if, for instance, Alexa is traversing the same network you’re utilizing for Internet connectivity, you’ve created or broadened any gaps in security.
Most consider themselves immune to this type of threat, but there’s certainly been victims who’d once believed that very thing. Protecting yourself against con artists sounds common sensical, but considerable IoT threats involves the inadvertent coughing up of sensitive information to those posing as bank employees or customer service representatives of a company you’ve done business with in the past. Usually these types of cons come in the form of email phishing, and the broad nets perpetrators cast are considerable.
Distributed Denial of Service (DDoS) attacks
When a highway, or any type of thoroughfare, is shut down, you’re denied the service that roadway provides. DDoS attacks are no different. They’re usually due to a botnet, which floods networks with requests sent at the same time by way more users than the network can accommodate. The thoroughfare comes to a grinding halt, but the goals of DDoS attacks have less to do with data gathering, and more with lost revenue and customers, including the sullying of a company’s good reputation that may have taken years to build.
The aforementioned botnet is a combination of networked systems that take over a network and spread malware like the flu. The newly installed malware can result in a variety of costly symptoms, including the gathering of personal information and the spread of DDoS and phishing attacks, to name a few. The combined systems make botnets more insidious, as attacks can be spread from a variety of sources.
Remember the game Monkey in the Middle, where player C stands between players A and B and tries to intercept or block their pass? Man-in-the-Middle threats represent player C, which attempts to disrupt communications between users A and C. Here’s the difference: in a Man-in-the-Middle attack, users A and B don’t know there’s a user C in the game. Communications between the two (2) users are not only interrupted, but user C can then mimic users A or B―or both―to gather important and sensitive information. Intrusion detection system (IDS) are probably the best preventative measure against Man-in-the-Middle attacks and can detect when user C tries to insert itself into the conversation.
The IoT Industry is growing; unfortunately, so is its Attack Surface
It’s estimated that worldwide the number of IoT devices in use today will more than triple in the next seven (7) years, precipitously growing from its current 23 billion to over 75 billion by 2025. The cat and mouse game that steadily pits security organizations and experts against cyber attackers will only intensify. That’s exactly why consulting with IoT and security professionals like those at GDT is critically important now, but will become even more so over time. GDT’s Security practice is comprised of talented, tenured security analysts and engineers who protect the networks of organizations of all sizes, and from a wide variety of industries, including service providers and government agencies. They can be reached at SOC@gdt.com. They’d love to hear from you.