Security controls must keep pace with internet-connected devices
The ability to connect devices is becoming the standard across all facets of technology. We are seeing this in everything from smart cities to tea pots and toasters. New IoT devices are popping up daily, rapidly adding to the 23 billion that already exist. These devices are designed for availability, accuracy and efficient work. Unfortunately, unprecedented numbers of these devices are hitting the market with poor security access control and little to no management oversight, making them a prime target for cyberattack. The goal of an attack is to control the device, but more common and concerning are the new ways an attacker can use devices to gain access to corporate, medical or operational networks. As a result, organizations must change the way they approach their security controls. It is no longer feasible to assume a security team can find every endpoint device, much less secure them.
The concept of predict, prevent, detect, respond are not new and are commonly seen within security frameworks. There is an imbalance of investment in prevention, which creates exposure when these defenses fail or get bypassed. With the proliferation of IoT devices that lack necessary security controls and governance, they create new risks that must be addressed. Organizations must address the cyber battle inside the network and focus on scalable early detection and programs that efficiently respond to successful infiltration.
IoT is a challenging, top-of-mind concern for defenders. In a recent Attivo Networks survey of more than 450 cybersecurity professionals, one-third of respondents reported securing specialized environments, such as IoT, as a top concern. Post-survey discussions indicated these concerns were based on lack of visibility into devices added to the network, ability to change or control passwords, ability to patch devices and lack of awareness when these devices were being misused. In the case of medical IoT, it is often illegal to make changes to these devices based on the concern that any post-factory adjustment could alter the operation of the device and potentially negatively affect patient safety.
Here are some of the most common threats facing these highly targeted attack surfaces and tips on how to guard against them:
Protecting specialized networks
Specialized networks have become increasingly common as the need for interconnected communications and on-demand services soars. A wide variety of industries are rapidly adopting interconnected devices in the forms of SCADA, IoT and point of sale, which can be useful for delivering services, recording activities, relaying medical information and financial transactions. Growth in this area shows no sign of slowing, with an estimated 50 billion connected IoT devices expected by next year. The growth means potential new entry points for attackers.
Default passwords use is one of the most common exploits used to attack these networked devices. Easily compromised access credentials continue to plague devices, as far too many manufacturers continue to ship them with a single default set of credentials that either don’t require a change at initial setup or don’t provide an option to change them. This renders a massive number of devices susceptible to infiltration by anyone who can obtain that default username and password, leaving them vulnerable to the same type of attack that gave rise to the Mirai Botnet, one of the most pervasive pieces of malware in history.
Why do common household items like lightbulbs require certification, while IoT devices are not held to any standard? The answer is inherently conflicted in its need to balance competing priorities of safety and innovation. Some steps have been taken to address this issue, and responsible manufacturers now ship their devices with unique passwords so that one set of credentials cannot be used to compromise thousands or millions of devices. Some states, such as California, have passed legislation to codify this practice into law. Federal legislators are also discussing IoT security regulations. However, regulatory progress moves slowly. Regardless of compliance or laws, individuals and organizations should be proactive in managing risk by adding the requirement to automatically change default passwords when they begin using any device.
Finding and updating assets is another problem that plagues organizations with IoT devices. With the rate of innovation, many devices quickly become outdated, and it is difficult to find and install updates. Others in use for extended periods may simply stop receiving updates from the manufacturer at all. Once this happens, it is unlikely that any newly found vulnerabilities can be patched, making them appealing targets for attackers.
Organizations can combat this situation by implementing an effective lifecycle management plan for all connected devices. Establishing controls to know where devices are and when the manufacturer no longer supports a device can mitigate risk. Properly vetting suppliers and purchasing from companies that provide password management flexibility and effective maintenance plans that align with one’s business models can also address this issue.
Infrastructure represents an increasingly attractive target
U.S. National Intelligence Director Dan Coats recently said that “the warning lights are blinking red” when it comes to infrastructure security. January’s Worldwide Threat Assessment indicated that foreign powers are capable of launching substantial damage to infrastructure and public services by targeting power grids, industrial machinery, and other connected systems.
Outdated equipment is a major issue when it comes to infrastructure security. Many industrial control systems (ICS) predate the internet era, and updating them may not be an easy option based on antiquated operating systems or the inability to obtain downtime for patch management. ICS are also challenged as they sometimes lack physical boundaries for protection. Many don’t possess monitoring abilities and can create additional risks when policies and procedures are not designed with securing ICS devices in mind. Mistakes can also occur in operations, configuration or as the result of unintended human error leaving these devices vulnerable for exploitation.
The human element remains a difficult and persistent problem to solve. Phishing schemes and other human error-based attacks are common throughout many industries, but can be particularly damaging if an attacker gains access to a fuel sensor, traffic control system or power grid. Damage to these networks could result in widespread power outages, traffic mismanagement, and other disasters with the potential for catastrophic loss of life.
Organizations can lower this risk with proper employee training and screening, and adding in detection security controls that alert on policy violations and misconfigurations. This will pick up both unauthorized employee use and when an external threat actor poses as a real employee and uses their credentials to gain unauthorized access.
Visibility and detection
The proliferation of internet-connected devices has inspired many new services and offerings, but it also represents potential risk. Although there is no silver bullet security fix, adding the ability to quickly detect and respond to unauthorized activity quickly is now fundamental to every security program. There are several options for detection available today. Some are based on a database lookup, traffic or behavioral analysis, while others are based on deception technology. Each has its merit, though many have shortcomings related to their ability to operate effectively for operational technology.
Deception technology is quickly separating itself from the pack as a commonly deployed detection control. The technology provides visibility to assets being added to the network, attack paths and policy violation activity. Decoys that mirror-match production assets also prove to be an effective way to confuse, slow down and detect attackers early in the attack cycle. Deception platforms are tackling access management and authorization challenges by planting deception credentials and fake application servers to detect credential theft and unauthorized use of legitimate credentials.
Although the use of commercial deception technology is still fairly new, it is now recognized for its ability to simplify detection and response. Engagement-based alerts that are inclusive of adversary intelligence and forensics take decisive action in case of an incident. Given its accuracy, hours are saved by correlating attacks, automating incident response actions and accelerating remediation. Organizations may also implement the technology’s abilities to engage an attacker for more insight into intent, counterintelligence, and building preemptive defenses.
Regardless of attack surfaces that may emerge, or existing ones that may evolve, organizations must adopt new approaches to cybersecurity controls and frameworks to mitigate incoming risks. It is unlikely that the pace of innovation or the hunger for access and services will subside. Legislation will help, but compliance will still never ensure security. With this in mind, defenders must be prepared for today’s borderless networks by adding in network visibility and the tools to detect intruders early, understand their adversaries and respond quickly to any attack originating from any attack surface.
All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.