The Internet of Things: Are you really in control?
Just three years ago, the concept of IoT (Internet of Things) was still fresh; people bought devices because they were ‘cool’ or because it seemed that we could improve quality of life with ownership. This area of the market has seen huge growth since then – and IoT has changed - almost any device is available in this new form, from the norm of personal assistants and security cameras to the more diverse, in the form of coffee makers and even umbrellas.
The general excitement around IoT has led to market consumerisation faster than security standards have kept pace. These devices are small, often simple and built to a budget, which does not always allow for security implementations – and, because of the way they are purchased even those devices with security do not always have it properly configured by the end-user.
Demand for devices has in many cases pushed prices down to rock bottom, with security typically only a secondary consideration; some manufacturers provide remote access to allow firmware updates, or include only basic security defaults. Placing traditional anti-virus software capabilities on many IoT devices would also require additional hardware and connectivity, in turn increasing production costs.
Consider this: In 2015 there were over 430 million new pieces of malware discoveredthat’s around 13 discoveries per second. To be able to protect against attacks on IoT devices, there needs to be a new security model, which detects and understands malware before it gets to the device; traditional models will not work.
IoT has penetrated our lives in more ways than we could have imagined. We’re all familiar with VR headsets, wearable watches, cameras and thermostats, but what about Digital TV boxes, ovens, lightbulbs or doorbells? Or more seriously, health devices including pacemakers and diabetes monitors?
All these devices will store identity and usage data (and in some cases even financial data). Some may have location awareness or provide telemetry back into the cloud. Until standards for implementation are adopted, we should expect to see more and more attacks on consumer IoT – sometimes to steal identity and personal data, and others that may damage, slow or impact business.
Never forget, these are simply small computers and 2016 proved they can be reprogrammed remotely over the Internet. The Mirai worm virus spread quickly with highly public website and service provider DDoS (Distributed Denial of Service) attacks, but more recently we have seen ‘Botnet for Sale’ services with hackers offering up to 600,000 Mirai-infected devices pre-programmed and ready for attack. These devices have little or no built-in security, and so the ability to monitor their communication, identify threats and disable them will become essential features as we look to security posture – this requires that network elements, and not just security devices, participate in active security monitoring and enforcement.
What we have seen so far is merely the tip of the iceberg – we predict that soon devices may become digital spies on the users’ home networks, looking for data and information that is not secured – it’s important to recognise here that nowadays almost everyone legitimately takes and works with business data at home so we should start to consider protection for that potentially hostile environment too.
As a business, there is a responsibility to protect users’ data and network infrastructure – combined, these are what will held drive brand recognition. The reality is that IoT is penetrating the enterprise and companies need protection with the earliest possible warning against different types of malware, especially malware with the potential to infiltrate using IoT devices as a vector. Here at Juniper, we have the Sky Advanced Threat Prevention (Sky ATP) solution that uses machine learning to not only seek out the obvious malware identifiers, but also monitors network traffic from Juniper Networks® SRX Series firewalls. This enables faster and more accurate detection and remediation of hidden or unknown threats than standalone security appliances or firewalls.
In 2017, we expect that the IoT market will continue to innovate and grow, but we also predict that we will see more businesses being spied on, data being stolen and networks being breached because of the lack of security fundamentals on devices. Until IoT gains stronger security standards the onus is on us – individuals and businesses – to decide on where and when the use of IoT makes sense. Some developments in IoT make sense for businesses and some just feel cool.
My recommendation when looking at IoT is not to just think ‘Can I?’, but also ‘How will I protect myself when I do?’
---------------
If you enjoyed reading this blog and would like to read related security blogs please visit here