Security of IoT
The Internet has changed the way businesses can interact with customers, from social media to online forums and importantly online sales platforms. Customers are increasingly impatient, wanting an interaction to be instantaneous and wanting the way they transact business to work around their lifestyle, never forcing them to go out of their way. The Internet of Things (IoT), is an exciting innovation for those keen to further this experiential trend; IoT will shorten the gap between businesses and their customers and connect users via new mediums and ‘devices’ such as cars, fridges and other everyday items that can be found around the house or office.
This begs the question of how security can be ensured. There has already been evidence of self-driving smart cars being hacked, which in a real-world situation could be to deadly effect. IoT devices need internet to function, that’s a given, so is the real issue around how to secure a network and ensure that it cannot be accessed by an unauthorized individual? Maybe so, however, for organizations of all sizes IoT can mean something slightly different; network connected devices such as printers, CCTV, webcams and Wi-Fi routers represent the IoT landscape as it currently stands for businesses and in every-day office life there seems nothing threatening about this.
IoT has built a bad name for itself when it comes to security and has become known for poor levels and regular hacks. Hackers have quickly worked out how to turn connected devices into botnets that can be used to launch large scale attacks on other organizations and networks, often without knowledge of the IoT device owner. In 2016, hackers were able to turn over 150,000 IoT devices into botnets and initiate an attack with global repercussions. The problem stemmed from poor credential management; the Mirai strain of malware used, took advantage of default passwords and account settings and with relative ease was able access the devices.
Cyber-criminals can operate for different purposes, often financial gain as is the case with many Ransomware attacks, but some of these can be more disruptive and not focus on extorting money from those affected. As reported in Verizon’s Data Breach Digest 2017, one university found themselves a victim of an attack after hackers were able to turn their own IoT devices against them. Firewall analysis showed that over 5,000 devices began making hundreds of DNS look-ups, searching seafood restaurants of all things, in order to significantly slow down the network with the aim to crash the network completely.
Protecting IoT devices
As with any cyber-crime or attack, it is very difficult to predict when your network may be under threat and it can be very difficult to stop all kinds of attack. Limiting the possible effect of any attack should be a priority for all organization as there are often steps that can be easily taken internally to mitigate risks and effects. With IoT devices the solution lies in the way they are set up and administered; hosting IoT devices on a separate network to core business or organizational systems will begin to mitigate the damage that can be done.
Secure credential management is best practice across all aspects of business, many organizations will have staff update passwords regularly and ensure that ‘password1’ is not being used. For IoT devices this is often forgotten but it is most important aspect of securing devices. The first stage of many cyber-attacks, IoT based or otherwise, is acquiring passwords. If the password and username is ‘admin’ or some other default this is no hard task for hackers.
Network monitoring tools can also be implemented to help assure the protection of your office devices. Whilst this may not stop an attack it may pick one up, and flag up any vulnerabilities within systems allowing network managers to patch and prevent future attacks.