Attacks/Breaches

2/4/2019
10:30 AM
Saumitra Das
Saumitra Das
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
100%
0%

IoT Security's Coming of Age Is Overdue

The unique threat landscape requires a novel security approach based on the latest advances in network and AI security.

Security always lags behind technology adoption, and few technologies have seen growth as explosive as the Internet of Things (IoT). Despite the rapid maturation of the market for connected devices, security has been an afterthought until now, creating an unprecedented opportunity for hackers worldwide.

It's 2019 and the industry is overdue for a new, comprehensive security model for connected devices — one that reflects the challenges of protecting IoT's position at the confluence of software and device security. The unique threat landscape requires a novel security approach based on the latest advances in network and artificial intelligence (AI) security.

What's at Stake
Cisco estimates the number of connected devices will surpass 50 billion by 2020. Enterprises are on pace to invest more than $267 billion in IoT tools during that same time. Attacks on IoT devices rose by 600% in 2017, reflecting both security vulnerabilities and the value of the targets. The NSA posted an advisory on smart furniture hacks, and the 2018 Black Hat and DEF CON conferences produced a stunning array of connected device attacks and security analysis.

The prevalence of connected devices and lack of comprehensive IoT security pose diverse risks for enterprises.

To start, altering or interrupting connected device performance alone can constitute a catastrophic breach — even one with life-or-death consequences. The Stuxnet attack famously sabotaged the Iranian nuclear program by causing as many as a thousand uranium enrichment centrifuges to malfunction and eventually fail. Attacks targeting power grid infrastructure have been detected abroad in Ukraine and the United States. Interference with consumer devices such as vehicles and pacemakers puts their owners at risk. Inside the enterprise, tampering with smart mining, manufacturing, or farming equipment could cause millions of dollars in damages in goods and equipment. The growing trend toward corporate ransom and hacktivism has expanded the pool of potential targets beyond scenarios where attackers can profit directly from a breach.

In addition to service disruptions, IoT systems are susceptible to breaches resulting in data loss. Data from manufacturing and consumer sensors can be valuable intellectual property. Lost data from consumer or enterprise devices can constitute privacy violations, as in the case of connected toys or even office-entry badge logs. Regulatory experts anticipate a "feeding frenzy" of legal cases stemming from IoT attacks in the coming years.

Following Data from Sensors to the Cloud
The IoT threat landscape includes elements of both centralized and dispersed systems. A typical architecture involves a large number of sensors collecting data, which is then consolidated and analyzed. Practically, we can group the vulnerabilities of IoT systems into two categories: the security of sensors and the security of data repositories.

Connected devices create liabilities at all stages of the security life cycle, from prevention to detection to remediation. The challenge of securing sensors begins with taking an accurate inventory. Many companies will be hard pressed to evaluate the security posture of all connected devices in use, from strategic enterprise equipment to connected devices in regional offices. Many connected devices lack basic security features found on laptops or smartphones. Default passwords, unpatched operating systems, network trust issues, and unhardened devices with open ports are all vulnerabilities endemic in IoT security. Finally, hardware may not support the capability to register that it has been tampered with, limiting the security team's ability to detect and respond to successful attacks.

The Internet of Things is inherently intertwined with cloud security. Most sensors have relatively limited processing capabilities and rely on cloud hosting to analyze data. These consolidated repositories create risks around access control, data security, and regulatory compliance. Gartner warns that at least 95% of cloud security failures will be the customer's fault, meaning misconfigured security settings will result in security incidents. Research on a sample of enterprise AWS S3 buckets found 7% with unrestricted public access and 35% unencrypted. Hundreds of millions of dollars in acquisitions for vendors dedicated to auditing and automating cloud security configurations attest to the breadth of this attack vector.

Leveraging the Strengths of IoT for Security
Companies have invested in IoT in the absence of robust security because of the business opportunities available from massive amounts of data and powerful analytics. Fittingly, IoT security solutions must lean on these same advantages.

First, IoT security fundamentally requires network-based enforcement. IoT sensors cannot support the same endpoint security solutions available for smartphones. The sheer number of devices a typical enterprise uses makes security at the device-level unfeasible. Applying security at the network level allows the enterprise to gain holistic visibility and enforcement across their IoT portfolio.  

Second, companies can use the large quantities of data coming from IoT devices to implement behavioral security with neural networks. The AI approaches in use today with IoT are simple statistical deviation or anomaly detection. They may find the needle in the haystack, but they will also see needles where they do not exist. The massive traffic coming from IoT systems allows for the training of neural networks to accurately detect malicious intent with greater accuracy, lowering the rate of false positives and alleviating alert fatigue.

Forcing existing enterprise security approaches onto IoT systems is doomed to failure. Securing the Internet of Things requires a combination of hardware and software security that contends with the unique risks and limitations of connected devices and data processing repositories. By tailoring security to the architecture of IoT systems in use, organizations can take advantage of all the benefits that technologies like the cloud and AI have to offer.

Related Content:

Saumitra Das is the CTO and Co-Founder of Blue Hexagon. He has worked on machine learning and cybersecurity for 18 years. As an engineering leader at Qualcomm, he led teams of machine learning scientists and developers in the development of ML-based products shipped in ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
2/15/2019 | 7:05:56 AM
Re: We need to improve, pronto
The bad guys ( all of them ) have nothing but TIME on their hands - they have all day to just THINK about how to bypass any security function and this is an incredible advantage.  WE have to deal with trying to out-think them while dealing with a few thousand corporate rules, regulations, budget and time issues.  We have an 8-12 hour working day standard.  The bad guys have 24 hour days all of the time.  There we have a mega disadvantage in effort and, besides,   I always believe we are forever 5 minutes behind the the bad guys all of the time. 
StephenGiderson
50%
50%
StephenGiderson,
User Rank: Apprentice
2/14/2019 | 9:35:31 PM
We need to improve, pronto
As technology evolves, so should security. However, in this rapidly progressing era, that unfortunately isn't the case. As we witness constant development of various technologies, we sadly also experience major lapses in security over various platforms. Consumer data is sacrificed affecting not only individuals but large corporations as well. Major loss of confidence has occurred over the course of just less than a decade and how can we seriously improve?
UdyRegan
50%
50%
UdyRegan,
User Rank: Apprentice
2/14/2019 | 2:01:46 AM
Many entry points..
The more connections you have to an information hub, the more security you're going to need. Every access point is a potential threat, of course. I'm pretty sure that you'll be able to find some good solutions to beef up the security of the data storage points though. That at least is one way to implement a bit of protection.
Saumitra Das
100%
0%
Saumitra Das,
User Rank: Author
2/4/2019 | 2:30:53 PM
Re: Blockchain
Blockchain for IoT is an interesting area for distributed trust between devices and the entities they interact with. However, security itself can be about the IoT device being tampered with in terms of transacting with other entities as well as being compromised itself leading to lateral movement in the enterprise. Additionally, many IoT systems are battery, CPU and network bandwidth constrained which can be challenging for deploying blockchain. Neural network based threat detection can help identify compromise early and has the potential to be a key enabler of this ecosystem.
blodgettcalvin
50%
50%
blodgettcalvin,
User Rank: Apprentice
2/4/2019 | 11:21:15 AM
Blockchain
In fact, there are already many protection technologies. The most popular is the blockchain system. Also, the development of neural networks makes itself felt and there will soon be a new system based on neural systems.
Russia Hacked Clinton's Computers Five Hours After Trump's Call
Robert Lemos, Technology Journalist/Data Researcher,  4/19/2019
Tips for the Aftermath of a Cyberattack
Kelly Sheridan, Staff Editor, Dark Reading,  4/17/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-11358
PUBLISHED: 2019-04-20
jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype.
CVE-2019-11359
PUBLISHED: 2019-04-20
Cross-site scripting (XSS) vulnerability in display.php in I, Librarian 4.10 allows remote attackers to inject arbitrary web script or HTML via the project parameter.
CVE-2018-20817
PUBLISHED: 2019-04-19
SV_SteamAuthClient in various Activision Infinity Ward Call of Duty games before 2015-08-11 is missing a size check when reading authBlob data into a buffer, which allows one to execute code on the remote target machine when sending a steam authentication request. This affects Call of Duty: Modern W...
CVE-2019-11354
PUBLISHED: 2019-04-19
The client in Electronic Arts (EA) Origin 10.5.36 on Windows allows template injection in the title parameter of the Origin2 URI handler. This can be used to escape the underlying AngularJS sandbox and achieve remote code execution via an origin2://game/launch URL for QtApplication QDesktopServices ...
CVE-2019-11350
PUBLISHED: 2019-04-19
CloudBees Jenkins Operations Center 2.150.2.3, when an expired trial license exists, allows Cleartext Password Storage and Retrieval via the proxy configuration page.