Network security remains America’s greatest threat, according to a 2016 report by James R. Clapper, Director of National Intelligence, to the Senate Select Committee on Intelligence. Topping the list is the growing threat of the Internet of Things.
Predictions claim there will be a total of 24 billion IoT devices by 2020. These devices are attractive to attackers because many are shipped with insecure defaults, including default administrative credentials, open access to management systems via Internet-facing interfaces, and shipping with insecure, remotely exploitable code. To make matters worse, embedded systems are rarely if ever updated in order to patch against security vulnerabilities – in fact, many vendors of these devices do not provide security updates at all. Internet of Things products—including IP connected security systems, connected climate control and energy meters, smart video conferencing systems, connected printers, VoIP phones, and even smart light bulbs—pose a security risk for the companies using them.
How does a hacked IoT device affect the Enterprise? The risk is not so much that an individual device is compromised, but that it provides a gateway to the network—often called “stepping stone” attacks. Once in, IoT botnets can launch DDoS attacks, send spam, engage in man-in-the-middle (MitM) credentials hijacking, and leverage DDoS extortion. Last year there were several historically large DDOS attacks, the most well-known being Dyn, the internet service provider for companies including Twitter, SoundCloud, Spotify, Reddit and a host of others. The DDoS attack on Dyn was made possible when attackers used the “Mirai” malware to capture internet of things (IoT) devices and funnel them into botnet armies that attackers used to send massive amounts of traffic to targeted servers. The IoT devices used in the attacks were primarily internet-connected cameras, but also included routers and internet-connected printers.
Brian Krebs (KrebsonSecurity) reported that the devices were “deployed with standard default user names and passwords, which users had not changed. Even if users deployed the IoT device behind routers, which should have made them unreachable from the internet, the devices use a technology known as universal plug and play (UPnP), which automatically opens ports to enable reaching the devices from the internet.”
The best defense is offense
The IoT has changed many things, but from a security perspective, it is the same challenge as dealing with any other security risk. It requires a programmatic approach. To avoid IoT vulnerabilities, IT departments need to know what is connected to their internal environment. Organizations can defend against DDoS attacks by implementing best practices for DDoS defense, including real-time DDoS mitigation, securing their network infrastructure, ensuring they have visibility into all traffic coming and going from their networks, and ensuring they have sufficient DDoS mitigation capabilities — either on-premise or via cloud-based DDoS mitigation services.
The best defense is offense
The IoT has changed many things, but from a security perspective, it is the same challenge as dealing with any other security risk. It requires a programmatic approach. To avoid IoT vulnerabilities, IT departments need to know what is connected to their internal environment. Organizations can defend against DDoS attacks by implementing best practices for DDoS defense, including real-time DDoS mitigation, securing their network infrastructure, ensuring they have visibility into all traffic coming and going from their networks, and ensuring they have sufficient DDoS mitigation capabilities — either on-premise or via cloud-based DDoS mitigation services.
Need to assess your security and cloud options? I know the people. Contact me.