In this column, I try to avoid “buzz words” and jargon. Information security is complex enough without them. The security industry is overrun with companies that intend to confuse you with marketing bullet points, wrapped up as new concepts and trends, in the hopes that you will cut them a check. Meanwhile, you are the one that will bear the ultimate responsibility for risks they know you don’t understand.
This is a game I refuse to play. I think it’s possible to carefully communicate security risks associated with new technologies and trends without intentionally confusing the issue. The so-called “Internet of Things” is the one of the latest buzz words being used by vendors and service provider. It’s a relatively simple concept, yet represents a set of serious security concerns for your business.
The Internet of Things (or, IoT) is a blanket term used to describe all of the technology that being deployed in homes and businesses that isn’t normally considered as part of traditional IT infrastructure (things your IT staff already manage: computers, mobile devices, network equipment). These new devices connect to the public Internet and communicate in ways that make them “smarter”. These devices include security cameras, climate control, inventory logistics, power meters, and even “smart beds” in hospitals.
While the improvements in efficiency and cost savings that IoT devices can bring to a business cannot be ignored, it’s important to understand the risks associated with “smart” device. Despite being physically located on your premises, many IoT devices are managed “in the cloud”, meaning that the device communicates with an external entity (probably the vendor) across the public Internet, and that you (or your IT staff) manage and interact with it with a web browser or mobile application that also connects to this external entity. This opens up the attack surface (ways in which a cybercriminal will attack you) for both your network and the data you are trying to protect.
The IoT industry is quickly growing. To stay competitive, IoT vendors are developing new products rapidly, and are often not spending the time and resources necessary to develop secure software that runs on these devices. It can be difficult to design and develop a secure embedded device, especially one that requires so much connectivity. IoT devices are often “opaque” as well, meaning that your IT staff, however talented and experienced they are, may not have insight into how it works, nor have the ability to change its configuration in any useful way with regards to security.
At HORNE Cyber, our teams of hackers that we employ on network penetration tests have identified vulnerabilities in many of these devices on almost every single client we have tested over the past year (a sharp increase over previous years). Finding these vulnerabilities requires extensive security testing and reverse engineering experience. Mitigating these vulnerabilities requires designing your network to limit connectivity between IoT devices and sensitive systems and data.
Cybercriminals understand the Internet of Things all too well. The largest network denial of service attacks in history occurred in recent months, and the systems used to carry out these attacks were not powerful servers. These attacks were carried out by criminals that controlled thousands of network connected security cameras that they had hacked. Traditional network security monitoring solutions may not identify the latest IoT attacks, especially if you are not constantly updating those monitoring systems with information on vulnerabilities that your specific IoT devices might have.
My advice is to take advantage of new technologies that can help you become more efficient and profitable, but to only do so when you’ve carefully addressed the risk. Actively test your network for vulnerabilities, and monitor for intrusions by cybercriminals. See to it that you’re protected, and look forward to my future columns on other issues in cyber security.
This article was originally published in the Mississippi Business Journal.
For weekly insights into cybersecurity, please sign up here: