Data breaches through wearables put target squarely on IoT in 2017
Forrester predicts that more than 500,000 Internet of Things (IoT) devices will suffer a compromise in 2017, dwarfing Heartbleed. Drop the mic—enough said.
With the sheer velocity of how the distributed denial-of-service (DDoS) attacks spread through common household items such as DVR players, makes this sector scary from a security standpoint.
“Today, firms are developing IoT firmware with open source components in a rush to market. Unfortunately, many are delivering these IoT solutions without good plans for updates, leaving them open to not only vulnerabilities but vulnerabilities security teams cannot remediate quickly,” write Forrester analysts.
The analyst firm adds that when smart thermostats alone exceed over 1 million devices, it’s not hard to imagine a vulnerability that easily exceeds the scale of Heartbleed. Security as an afterthought for IoT devices is not an option, especially when you can’t patch IoT firmware because the vendor didn’t plan for over-the-air patching.
Alex Vaystikh, co-founder/CTO of advanced threat detection software provider SecBI, says small-to-midsize businesses and enterprises alike will suffer breaches originating from an insecure IoT device connected to the network. The access point will be a security camera, climate control, an old network printer, or even a remote-controlled lightbulb. This was demonstrated in September in a major DDoS attack on the website of security expert Brian Krebs. A hacker found a vulnerability in a brand of IoT camera and caused millions of them to simultaneously make HTTP requests from Krebs’ site.
“It successfully crashed the site, but DDoS attacks are not a great way to make money. However, imagine an IoT camera within a corporate network being hacked. If that network also contains the company’s database center, there’s no way to stop the hacker from making a lateral move from the compromised camera to the database,” Vaystikh said. “This should scare organizations into questioning the popular BYOD mentality. We are already seeing a lot of CCTVs being hacked within organizations.”
Florin Lazurca, senior technical manager at Citrix, believes that consumers will be a target of opportunity in 2017. Innovative criminal enterprises will devise ways to monetize on potentially billions of internet-facing devices that many times do not meet stringent security controls. “Want to browse the internet? Pay the ransom. Want to use your baby monitor? Pay the ransom. Want to watch your smart TV? Pay the ransom,” Lazurca says.
Mike Kelly, CTO of Blue Medora, agrees, stating that, “the inability to quickly update something, such as your home thermostat, is where we will see the risk. It’s not about malware getting on the devices, the focus will need to be on the ability to remediate the issue. Like we saw with Windows, there will be a slew of vulnerabilities, but unlike with a computer, patching won’t be as easy with IoT devices,” he says.
More connected devices will create more data, which has to be securely shared, stored, managed and analyzed. As a result, databases will become more complex and the management burden will increase. Those organizations that can most effectively monitor their database layer to optimize peak performance and resolve bottlenecks will be in a better position to exploit the opportunities the IoT will bring, he says. Large corporations are still challenged with finding security talent to manage security in the “traditional” sense, leaving IoT startups to fend for themselves in a digital economy.
Corey Nachreiner, CTO at WatchGuard Technologies, predicts that IoT devices will become the de facto target for botnet zombies. With the shear volume of internet-connected devices growing every year, IoT represents a huge attack surface for hackers. More disturbingly, many IoT manufacturers do not create devices with security in mind, and therefore release devices full of potential vulnerabilities. Many of their products have vulnerabilities that were common a decade ago, providing easy pickings for cyber criminals.
Many IoT devices coming on the market have proprietary operating systems and offer very little compute and storage resources. Hackers would have to learn new skills to reverse engineer these devices, and they don’t provide much in terms of resources or data for the attacker to steal or monetize. On the other hand, another class of IoT products are devices running embedded Linux. These devices look very familiar to hackers. They already have tools and malware designed to target them, so “pwning” them is as familiar as hacking any Linux computer.
“On top of that, the manufacturers releasing these devices seem to follow circa 2000 software development and security practices. Many IoT devices expose network services with default passwords that are simple for attackers to abuse,” Nachreiner says.
He cited the leaking of the source code for the Mirai IoT botnet. This botnet included a scanner that automatically searched the internet to find unsecured, Linux-based IoT devices, and take them over using default credentials. With this leaked code, criminals were able to build huge botnets consisting of hundreds of thousands of IoT devices. They used these IoT botnets to launch gigantic DDoS attacks that generated up to 1Tbps of traffic; the largest ever recorded.
In 2017, criminals will expand beyond DDoS attacks and leverage these botnets for click-jacking and spam campaigns to monetize IoT attacks in the same way they monetized traditional computer botnets. Expect to see IoT botnets explode next year, he says.
Hold your IoT security hyperbole
“Many people are afraid to adopt these emerging technologies for fear that they may be their security downfall, but as with any technology, the same security 1-2-3s apply. Change the admin username and password, allow and enable devices on separate networks (separate from the networks used to pass sensitive data), create management and access policies, and above all, make sure that employees are educated about how, when and where to use these kinds of technologies,” says Stan Black, CSO at Citrix.
Adoption of emerging tech like IoT can actually have more security benefits than challenges if implemented correctly, Black says. The same goes for machine learning. (And if you’re interested in learning more about Machine Learning, check out our partners Cylance and what they have to say here!) The security wave of the future includes these technologies, so it’s best for businesses to learn about them early, learn about the benefits and reap the rewards of clouds, devices, and networks that can learn from, and adapt to, changing behaviors to make for a stronger security posture.
The wave of the future will be computers that can grant or deny access based on fingerprinted keyboards that can sense the normal amount of pressure your fingers normally apply. Taking advantages of benefits like these will help companies move to a new security infrastructure and mindset, he predicts.
“The mobile devices we depend on every day are loaded with sensors, heat, touch, water, impact, light, motion, location, acceleration, proximity, etc. These technologies have numerous applications including sensing motion and location to ensure people are safe when they travel,” Black adds.
These devices are rarely protected or maintained with the same vigor as corporate IT systems, making them generally more vulnerable to being compromised and drafted into a zombie army. This situation is nothing new, but in the next year we can expect to see “personal networks of things” reside in homes with gigabit internet connections—like those offered by Google and AT&T—and so make home networks far more interesting, especially if vulnerabilities in popular home devices can be exploited mechanically (e.g., how the Mirai botnet was built).
Speaking of standards
Steven Sarnecki, vice president of federal, and public sector at OSIsoft, pointed to the National Institutes of Standards and Technology’s (NIST) National Cyber Center of Excellence for a glimpse of what is to come. NIST is currently piloting a project to assess how energy companies can better utilize connected devices to integrate and increase security with hopes of sharing those best practices and insights across the energy sector. “As more companies wake up to the reality of IoT security threats, these solutions will become more commonplace, enabling enterprises to markedly increase their security footprint with only minimal incremental cost,” he says.
Sarnecki adds that in 2017 he would expect a large portion of IoT users, especially within the enterprise and industrial spaces, to begin to seriously consider the “internet of threats” aspect posed by IoT to their networks. Energy companies, water utilities, and many other critical infrastructure sectors rely on connected devices to support their missions.
Commonalities in all IoT systems include controls for tracking and sensing interfaces, combined with web- or mobile-enabled control applications that combine to expand the borders of the security ecosystem, she says. New guidelines will (ideally) force more application security vendors to partner with device control testing labs to support manufacturing earlier in the development process, helping the innovative organizations to manage risk by identifying vulnerabilities early in development, continue to monitor challenges during testing, and help release more secure products.
The enterprise has paid attention to IoT for some time, though 2017 will be the year we move past the “wow” phase and into the “how do we do we securely and effectively bring IoT to the enterprise, how do we handle the high-speed data ingest, and how do we optimize analytics and decisions based on IOT data,” says Redis Labs Vice President of Product Marketing Leena Joshi.
Mark Bregman, Chief Technology Officer at NetApp, believes 2017 will be about capitalizing on the value of data. The explosion of data in today’s digital economy has introduced new data types, privacy and security concerns, the need for scale and a shift from using data to run the business to recognizing that data is the business.
Off-line data analytics and threat hunting become endless money pits, says Gunter Ollmann of Vectra Networks. “We’re told, and we observe, that each year our corporate data doubles. That power-of-two exponential growth, after merely four years of storing, mining, and analyzing logs for threats, means a 16-fold increase in overall costs—with an accompanying scaled delay in uncovering past threats.”
Cybersecurity will be the most prominent big data use case, says Quentin Gallivan, CEO of Pentaho, a Hitachi Group Company. As with election polls, detecting cybersecurity breaches depends on understanding complexities of human behavior. Accurate predictions depend upon blending structured data with sentiment analysis, location, and other data.
“In the past few years, cyber security companies have started leveraging these technologies to help defend our organizations. One of the big problems in infosec today is we are too reactive, and not predictive enough when it comes to new threats. Sure, once we recognize a piece of malware or a new attack pattern, we can design systems to identify and block that one threat, but hackers have become infinitely evasive. They have found techniques that allow them to continually change their attacks and malware so regularly that humans and even basic automated systems can’t keep up with the latest attack patterns. Wouldn’t it be great if we had technology that predicted the next threats instead?” he says.
Machine learning can help us do just that. By feeding a machine learning system a gigantic dataset of good and bad files, or good and bad network traffic, it can start to recognize attributes of “badness” and “goodness” that humans would never have noticed on their own.
The security community as a whole will utilize big data more effectively in order to identify trends and threats, predicts Matt Rodgers, head of security strategy at E8 Security. “Organizations have the information they need, but they cannot find it. In 2017, companies will start looking at their data sets through advanced analytics to identify trends and risks. Big companies are already starting to augment their existing SIEM technology with behavior analytics capabilities to this end,” he says.