It seems like just yesterday everyone was gearing up to secure their organization for the anticipated BYOD deluge. Today, IoT security has quickly evolved to become the new front line in our connected world.
In early February, a grey-hat hacker compromised as many as 150,000 printers using an automated script that searches for open printer ports to send out rogue print jobs. He was able to affect printers of all makes and sizes at both large enterprises and small town restaurants. This hacker claimed he didn’t intend to cause harm, according to reports. Instead, he was educating people to the dangers of exposed devices and holes in IoT security. The reality is that the consequences of a single, exposed device can be far worse depending on what networks it’s connected to.
Malware on the rise
Last fall, a nasty strain of malware called Mirai launched one of the largest DDoS attacks, which led to popular internet services like Twitter, Netflix, and Amazon (maybe you’ve heard of them) being down for hours. Mirai was able to snowball because of a lack of security on devices like printers, routers, and surveillance cameras. Just as organizations of all sizes needed a strategy and supporting technology to safeguard data in the BYOD world, dealing with IoT security is also inevitable, whether it’s a large enterprise or a smaller organization that relies on distributed, connected devices.
In a statement for the record dated November 16, 2016, “Understanding the Role of Connected Devices in Recent Cyber Attacks,” Online Trust Alliance Executive Director and President Craig Spiezle outlined how IoT devices are being used in cyber attacks to cause disruption and impact the resiliency of online services. The statement was made to the United States House of Representatives Committee on Energy and Commerce as part of a joint hearing of the Subcommittee on Communications and Technology and Subcommittee on Commerce, Manufacturing, and Trade.
“The rapid rise in the Internet of Things has brought forth a new generation of devices and services representing the most significant era of innovation and growth since the launch of the internet,” Spiezle wrote in a blog post the day before. “While the vast majority of devices are safe and secure by today’s standards, all too many are being sold without security safeguards, adequate privacy controls, or lifecycle support. Combined, these devices have become proxies for abuse with a capacity for causing significant disruption.”
Boost your defensive strategy
There’s a lot that can be done, with many players in contributing roles. The OTA’s IoT Trust Framework is a voluntary self-regulatory model that identifies 31 criteria initially focused on connected home, office, and wearable technologies, as well as the various stakeholders that must play a role. Below is a summary of a few of those proposed guidelines:
- The government should be funding outreach and education, the OTA recommends, and working with trade organizations, Internet Service Providers (ISPs), local grassroots organizations, media, state government agencies, and others to raise awareness of the threats and responsibilities. They should also take a global view to coordinate efforts that will make sure industry can innovate while also guaranteeing the security, privacy, and safety of consumers and business—not to mention critical infrastructure.
- ISPs should be prepared to place users in a “walled garden” when detecting malicious traffic patterns coming from their homes or offices, the OTA said, while still permitting essential services like 911 access and medical alerts. Consumers would have to be informed of the need to make changes, get outside support, or swap out affected devices.
- Developers and manufacturers need to proactively tell their customers about any security and safety advisories and recommend a course of action, including the recall of products and disabling of their connectivity should there be risk to consumers’ personal safety or the privacy and security of their data.
- Retailers and e-commerce sites should be proactive in withdrawing products that don’t have a vendor’s commitment to patching over their anticipated lifespan, or don’t come with unique passwords. They should also notify customers of product recalls or security recommendations. Better yet, they should apply additional labels or shelf signage to educate customers on which devices excel at IoT security.
- The average consumer needs to be vigilant. The OTA said they should be responsible for staying up-to-date on patches and maintaining their devices, and should regularly review device settings and replace any insecure and outdated devices.
A tactical way of avoiding some recent, high-profile security breaches is to keep tabs on all the various devices and what ports they’re using. For example, it’s been reported that the Mirai malware tries to kill and block anything running on ports 22, 23, and 80 to lock users out of their own devices, but there are number of security tests and procedures that thwart Mirai specifically.
IoT security best practices
- Change the factory settings. This means changing the default password the came with the device, including Wi-Fi routers.
- Don’t use plain text to store information. IoT devices need to store data in memory—so all user profiles, preference settings, and security keys used to restore connections should always be encrypted. Businesses should even reconsider how much data about their users they actually need to store.
- Close unused ports. While enterprise IT vendors usually provide built-in firewalls and other features, IoT security is still emerging. Be proactive about closing down any port that isn’t required by an application. And we don’t mean by modifying a single configuration file.
- Invest in an IoT platform. Just as mobile device management platforms emerged to handle BYOD, platforms are emerging to manage and secure printer and IoT ecosystems, as well as help organizations innovate.
The good news is that nearly all IoT-related breaches are preventable. OTA researchers analyzed publicly reported device vulnerabilities from November 2015 through July 2016 and found that 100 percent of recently reported IoT vulnerabilities were easily avoidable.
On an algebra test, that’s an A+. In IT security, it’s the ultimate fail.