The Internet of Things, or IoT, is growing and evolving even as you read this. Here are my thoughts on what the IoT is, how it threatens your enterprise, and what you can do to prepare for, deal effectively with, and even take advantage of it.
IoT: What You Need to Know Now
- The term “IoT” refers fairly generically to things connected to the Internet that are not computers, tablets, or smartphones. You’ve probably already seen several variants on the theme, such as the “industrial IoT” or the “commercial IoT.” For now, we’ll just stick with “IoT.”
- The IoT is making significant inroads into business environments. Examples range from large-screen monitors that display content from the Web to specialized mobile devices, sensors, and almost anything that generates data and can be connected to a network.
- Users at some enterprises are already demanding to know why they can’t connect their smart speakers and other Internet-enabled things to their corporate networks. (Some are apparently uninterested in and/or fed up with talking with actual human co-workers, clients, and/or partners.) At some companies, users are simply connecting their consumer IoT devices to corporate networks, often without telling or seeking permission from IT. This mirrors and expands upon the “shadow IT” problem created when users connect their own computers, tablets, or smartphones to corporate resources without IT oversight.
- Since many consumer-oriented IoT devices include little or no enterprise-grade security, each one of these connections is a potential entry point for hackers and rogue software.
- Many if not most IT management and cybersecurity solutions are not yet “IoT-ready.” This makes it difficult or impossible to discover, track, manage, or secure IoT devices – even some of those designed for commercial or industrial use.
IoT: You’re (Probably) Not Ready
In September 2017, enterprise IoT security solution provider Armis announced discovery of a new set of threats to devices equipped with Bluetooth wireless connectivity. Those threats, known collectively as “BlueBorne,” offer a sobering look at just one way hackers can exploit IoT devices.
- “Nearly all devices with Bluetooth capabilities, including smartphones, TVs, laptops, watches, smart TVs, and even some automobile audio systems, are vulnerable to this attack. If exploited, the vulnerabilities could enable an attacker to take over devices, spread malware, or establish a ‘man-in-the-middle’ [attack] to gain access to critical data and networks without user interaction.”
- “These proximity-based network vulnerabilities could allow attackers to create broad malware infections that could spread from one infected device to many others by wirelessly connecting to other devices over Bluetooth. The device-to-device connectivity nature of Bluetooth means an airborne (or ‘BlueBorne’) attack could easily spread without any action required by a user.”
- “’These silent attacks are invisible to traditional security controls and procedures. Companies don’t monitor these types of device-to-device connections in their environment, so they can’t see these attacks or stop them,’ said Yevgeny Dibrov, CEO of Armis. ‘The research illustrates the types of threats facing us in this new connected age.’”
On Feb. 2, 2018, Security Boulevard published a report entitled The Looming Enterprise IoT Security Threat. The report highlights why IoT devices are a growing threat to many types of enterprises.
- “The increasing use of internet-connected devices in myriad applications such as asset tracking, equipment monitoring and managing data center environmental conditions have significantly expanded the attack surface at many enterprises. To adversaries, enterprise IoT systems present a relatively easy target because the devices often lack basic security controls, don’t support security patching and are not always well-monitored.”
- “’The majority of enterprises lack visibility into the number and type of IoT devices active on their corporate networks,’ said Patrick Daly, an analyst at 451 Research. This often creates an inventory gap that leads to an incomplete assessment of the overall risk posture.”
- “’The problem is that many devices were shipped without the native computing capabilities to run basic security functions like user and device authentication or even to receive software updates,’ he [Daly] noted. ‘It’s incredibly difficult to reduce risk later on, meaning that these threats aren’t going to go away anytime soon.’”
IoT: What You Need to Do Now
You need to know all you can know about every IoT device already connected to your network, and every attempt to establish such a connection. And you need to secure as many of those actual and potential connections as possible.
Where your enterprise uses or supports IoT devices, those devices must have robust, frequently changed passwords, and should also have software that can be and is patched regularly. Those devices that can’t support these features should be replaced or forbidden.
If your enterprise has effective solutions and processes in place for cybersecurity, endpoint, and/or IT asset management (ITAM), any or all of these can provide a jump-start to your IoT security and device management efforts. If your organization has none of these, now is the time to change that situation. Your need to secure IoT devices and connections is also an opportunity to improve overall cybersecurity at your enterprise.