IoT devices are everywhere and some businesses are only just starting to realise the security implications of so many unmanaged items on their network. The number of IoT devices is forecast to increase five fold to 75 billion devices by 2025. Couple the roll out of cellular IoT and faster 5G networks with vulnerable IoT devices, and you could be gifting hackers the ability to utilise compromised devices to launch DDoS attacks and/or deploy malware.
Any device that connects to the internet could potentially be an entry point to a larger network, so enterprises of all shapes and sizes must be aware of the risk IoT presents and what they can do to mitigate that risk:
1. Device discovery
You can’t secure your network and devices, until you know exactly what you’re going to secure! IoT along with Shadow IT and BYOD make device awareness ever more difficult.
IP Discovery (including port scanning) can help to discover, identify and manage the IoT devices connecting to your network.
Your next step is to perform an IoT risk assessment and update, or create if you don’t have one, an enterprise asset register that should contain the details of all devices.
2. Device updates
An IoT environment presents several potential patching challenges. Some devices are inaccessible or cannot be taken offline for long periods of time, some are simply sensors with no user interface or can’t accept updates.
A big IoT risk is insecure or outdated software/firmware. Your enterprise asset register can help here if you record and update which versions of software and hardware the devices are running.
3. Authentication, authorization and passwords
After you’ve discovered what IoT devices are on your network, it’s time to decide what they can access and why. You should always operate on the principle of least privilege – only allowing devices to see and access what is absolutely necessary for them to do their jobs. Always update factory-installed default passwords. Strong passwords are a good start with two/three/four-factor authentication being even better. The 2016 Mirai attacks were traced back to connected cameras and other IoT devices that had factory-default or hardcoded passwords.
Encryption is considered the most effective way to secure data. But many connected devices (small sensors, camera etc) do not have the power, processing or memory resources required to run traditional encryption algorithms. These devices should use an algorithm with high security, but low computation ie lightweight cryptographic ciphers.
5. Securing the network
As well as securing IoT devices and their data, it is vital to ensure the networks themselves remain safe. It’s also important to use traditional security measures, including IPS and IDS/BDS, anti-malware and firewalls.
Unfortunately, operational technology networks connecting to IT networks were generally never considered a threat as they didn’t connect to the internet so it was often felt they did not pose a risk to IT networks. Many best practices now also suggest segmenting the IT network from the IoT network.
6. Disruption, DDoS attacks and IoT botnets
The 2016 Mirai attacks, initially targeted a Minecraft server host, but eventually brought down several high-profile websites, including Amazon, Netflix and Twitter.
Unfortunately, it is nearly impossible to prevent a DDoS attack. But you can certainly take steps to prevent an attack from succeeding. Use intrusion prevention systems (IPS) such as DDoS Mitigation to try and prevent attacks – not forgetting to perform DDoS testing to make sure your systems provide adequate protection. Intruder/breach detection systems (IPD/BDS) can use fake devices to detect potential DDoS attacks in your network – preventing a bigger attack on your actual business-critical assets. Bot Management can also counter the bots hackers use to launch pre-attack scans, as well as the fraud they can commit through activities such credential stuffing and site scrapping.
The Internet of Things is here to stay so businesses now just need to focus on keeping secure in this new environment. For help with IP Discovery, Web Application Firewalls (WAF), DDoS Mitigation, DDoS Testing, Breach Detection, Bot Management or any other aspect of cyber security contact us or call us on 0845 625 9025.
Read our other blogs on IoT security:
IoT & DDoS Part 1: Nobody Knows You’re A Hacked Light Bulb
IoT & DDoS Part 2: Preparing For the DDoS of Things