IoT – The new entry point for ransomware

IoT – The new entry point for ransomware

Organisations can come under threat if they fail to monitor and secure their IoT devices. Charaka Goonatilake, CTO, Panaseer, discusses the ways in which organisations need to be more aware of the security risks associated with IoT technology in order to ensure they can safely harness it for a long time to come.

The past half a decade has seen the Internet of Things (IoT) evolve from a conceptual ‘next step’ to a fully realised, tangible component of many IT environments the world over; so much so that the number of IoT connected devices globally are expected to reach 35 billion this year, according to Forbes, and swiftly rise to a staggering 75 billion by 2025.

Organisations from a wide range of industries, be they manufacturing, healthcare, or retail, are rightly turning to the IoT to garner new insights and efficiencies from their business operations. Unfortunately, as they integrate these devices into their infrastructures – an exercise which is expected to result in US$15 trillion investment from companies worldwide over the next four years – they are increasingly struggling to monitor this rapidly growing attack surface and secure the data being generated.

Naturally, as more and more assets become connected and create new attack vectors for intruders looking to infiltrate their network, IT teams are clambering to ensure all IoT devices are monitored and their specific risks assessed and preempted. But what does this process look like? And how, exactly, do they go about securing their IoT?

A lack of visibility

The first step is identifying all of their connected assets and ensuring they have complete visibility of those assets at all times. Most businesses have a long way to go when it comes to the visibility of their IoT environments; in a Gemalto survey, a worryingly high number (48%) of respondents admitted they wouldn’t be able to detect an IoT breach on their network due to poor visibility.

Panaseer’s own research – which asked 200 enterprise security leaders about the ever-changing threat landscape and the regulatory, budgetary and expertise obstacles they routinely find themselves having to overcome – found that visibility, or lack thereof, into technical assets and security controls alike was a leading cause of security shortcomings. Considering all their IT assets, one in five respondents believed that IoT visibility was their biggest concern.

The main reason for this is that the majority of traditional security tools simply don’t cater to the new wave of IoT devices in the way that they do for more established technologies, be they laptops or servers. It’s tricky then to find much more than an IP address through network discovery tools, and even if one is successfully found for an IoT device, it won’t offer insights into what device it is, where it is, what it’s connected to and whether or not it is subject to any known vulnerabilities.

Without the security controls and discovery tools that are readily available for more traditional devices, IoT devices are largely left unmanaged and unsecured. These gaps mean vulnerable, easily exploited blindspots that can allow attackers access to internal and previously segregated networks. Before victim organisations know it, their devices are offline – a result that can at best mean a period of costly downtime and, at worst, in the case of healthcare professionals not having access to essential medical devices; loss of life.

The wild, wild west of IoT

So, why are blindspots of this nature so common? It’s largely due to the fact that the IoT market has accelerated faster than anticipated, with security being an afterthought that’s yet to catch up. While some steps have been taken to ensure certain security controls among IoT devices, the industry is still very much in its adolescence and regulators have yet to properly establish a means by which to monitor and encourage best practices when it comes to security. Until security measures catch up and strict best practices and regulations are implemented, properly securing these devices will prove difficult.

For years now, manufacturers and providers have been so focused on bringing their IoT devices and the insights they promise to their customers that they have foregone stringent security testing in the design phase. This is true for enterprise and civilian devices and has posed a particular threat to today’s workers who have been forced to access sensitive company data from their home networks, which are easily exploited and infiltrated through their growing number of personal IoT devices, such as Amazon Echos, Google Homes, or smart fridges.

Many workers and the organisations that employ them aren’t aware of the threats posed by these commonplace IoT devices. They fail to assess and secure each one and their network becomes as weak as its weakest link as a result.

Finally, many devices – inside and outside the organisation – simply aren’t capable of running the necessary software updates to remain secure. This is down to any number of factors, whether it be a lack of configuration to receive such updates or the fact that many devices still run via batteries and therefore cannot run even basic security controls.

A starter for 10

In order to properly secure today’s IoT devices, an essential step is a ground-up process for automatically maintaining a complete, accurate and up-to-date asset inventory, whereby IT teams can take stock of every single device on their network, its lasting security capabilities and the current risks it poses.

Once these have been evaluated, the next step is to remove, upgrade or isolate any device that cannot be properly secured. IT teams must find a suitable replacement or, at the very least, apply compensating security controls for mitigating any residual risks outside of appetite.

When it comes to bringing new IoT devices onto the network, it’s vital to ascertain how best to secure and configure each device and what steps must be taken to ensure they remain secure. For new and existing devices alike, continual software updates must be undertaken at regular intervals to ensure the latest vulnerabilities are patched and that no one device is left unsecured.

Continuous due diligence and commitment to enterprise-wide IoT visibility are essential to any organisation looking to harness the booming IoT market. Only by accounting for every single device and the risks they pose can organisations safely harness the tremendous potential of the IoT for years to come.

Browse our latest issue

Intelligent CISO

View Magazine Archive