The IoT Stampede
Recap from the October 8th, 2019 CISO/Security Vendor Relationship Podcast
by Lydia Pert
Autumn is officially here, which means stores are ramping up their sales. The back-to-school sales happened not too long ago, and next thing you know it will be Black Friday and Cyber Monday. As Steve Prentice explained in the latest Cloud Security Tip, “Every year, the fall season sees billions of dollars being spent on home-based IoT devices.” These IoT purchases cover a wide range of devices: printers, DVRs, IP cameras, and smart home assistants — to name just a few. Often relatively inexpensive, many businesses purchase these convenient devices during the big fall sales.
But before you run out to stock up on printers and security cameras, keep in mind some potential risks associated with these items. IoT devices connect to the internet and to each other easily, and make decisions for us at machine speeds. But many of these products are headless devices, which means they are unable to patch vulnerabilities or receive upgrades. And since IoT devices are connected to the internet, they can be hacked just like any other internet-enabled device — and if you can’t patch it or upgrade it, your business could be vulnerable to a host of problems.
It’s crucial to understand the security vulnerabilities that impact IoT devices. One of the key IoT security issues is the expansion of attack surfaces. Attack surface refers to the sum of the different points where an unauthorized user can access data. Keeping the attack surface as small as possible is a basic security measure — but increased IoT devices means the attack surface expands with every new internet-connected device. On top of that, manufacturers are pumping out huge quantities of IoT devices to keep up with demand, and product security often becomes an afterthought, if it’s considered at all.
One of the main IoT challenges is that the devices often record, have access to, and stream sensitive data. If not properly secured, your business could be in big trouble. Take for instance your office security systems: imagine all of the issues that could be caused if the camera or keypad was hacked by a cybercriminal. Your general office equipment are also potential access points — a printer that hasn’t been updated could allow an attacker to view everything that is printed or scanned.
Make sure you are only purchasing IoT devices released by responsible manufacturers. Ensure that your purchase will have security updates when vulnerabilities are discovered, and that your devices can be patched regularly with the latest updates. Mobile application controls and malware protections should be built into the network to cover any device, anywhere, and using real-time threat intelligence across the board. If you’re considering a device that doesn’t receive updates or patches, be sure you understand the impact that could have on your business in the event of an attack.
Hopefully this information serves as a timely reminder that an intelligent fabric-based security architecture – the “learn, segment, and protect” approach, can help prevent attacks on the seemingly innocent IoT devices you use in the office — or are considering buying in the next flash sale.