September 1, 2016 By Mandeep Khera 3 min read

Ready or not, the Internet of Things (IoT) is here. No longer just a buzz term, it’ll continue to grow at an unprecedented pace over the next few years.

IoT Security Is an Afterthought

History shows that most fast-growth technology solutions focus on solving business problems first; security is an afterthought. Web applications, which have grown dramatically – to hundreds of millions in number over the last decade, still have major security problems, and cybercriminals continue to attack through this low-hanging fruit. Mobile apps, numbering around 4 million and counting, are still easily exploitable, leading to major losses from cyberattacks.

Unfortunately, IoT is following the same trend. Most IoT devices, apps and infrastructure were developed without security in mind and are likely to become targets of cybercriminals.

IoT Will Allow for Attacks We Can’t Even Imagine

To put it bluntly, IoT security concerns are critically serious. According to some security experts, major cyberattacks against IoT devices are looming. From connected cars to connected medical devices to smart buildings and cities, security implications are huge.

Bruce Schneier painted a very gloomy picture in a recent article. Schneier said that “the Internet of Things will allow for attacks we can’t even imagine” and noted that “the next president will probably be forced to deal with a large-scale internet disaster that kills multiple people.” He added that “today’s threats include hackers crashing airplanes by hacking into computer networks, and remotely disabling cars, either when they’re turned off and parked or while they’re speeding down the highway.”

This may be a dark view of the IoT, but many organizations fear the worst when it comes to their security. Business executives consistently cite security as a major barrier to adopting IoT technology:

IoT Threat Vectors

Today’s IoT software applications are entrusted to securely manage your organization’s health care, transportation and other critical functions without fail. However, IT and security executives must be aware of safety and security risks that connected products pose as they rapidly evolve from unintelligent point objects into fully autonomous, IoT-enabled smart devices. They must also understand that fundamental security protection begins with controls built into devices and applications, and takes the ecosystem in which those devices and applications operate into consideration.

At a very high level, a typical IoT framework consists of edge devices (such as sensors, adapters, beacons, etc.), a gateway to communicate with these devices and a back-end server in the cloud or on-premises. You have to take each section separately and address security issues for each. Conduct a security penetration test, for example, to find out if endpoint devices can be hijacked and exploited.

If you need certificates for devices to communicate, ask your device manufacturer or find a security certificate vendor to provide the solution. For the gateway and the back-end server, make sure that besides the network security and data encryption issues, you address application security issues by performing security testing and fixing vulnerabilities. You should also harden binary code to protect your environment. An effective organizational security plan should incorporate basics such as network security protection and data encryption as well.

Watch the on-demand webinar to learn more about IoT Security

Securing IoT Infrastructure, Piece by Piece

Most companies lack the resources to protect every single aspect of the IoT infrastructure, so it’s important to prioritize the various assets based on exposure and liability issues. Fundamentally, it’s about risk management.

A medical device manufacturer, for example might have various IoT initiatives that could include smart buildings with lighting and thermostat controls, security cameras, logistics automation and actual products being sold to medical facilities. Clearly, from a liability perspective, it has to ensure the security of its medical device products that are communicating with each other over the internet before it looks at other internal IoT projects. Similarly, automotive manufacturers would want to make sure their connected car infrastructure can operate securely between the consumer’s mobile device, the dealer’s software and the telematics system.

Governments across the globe need to start taking IoT security seriously and create standards for companies to follow. Some discussions have already begun; Director of National Intelligence James Clapper and NSA Director Mike Rogers testified before Congress last year, warning of these threats, Schneier noted.

Although organizations don’t always welcome new regulations, minimal oversight opens doors and budgets for security teams. CEOs and boards of directors are more inclined to create budgets for compliance-related issues because they don’t have a choice. They might get complacent if there is no regulatory standard with specific deadlines. Many companies naturally tend to wait until they get attacked, which is absolutely the wrong practice to follow.

Get Educated

As a security manager and executive, you have to start by educating yourself on the concepts of IoT, various vulnerable vectors and the solutions available to protect your infrastructure.

Watch the on-demand webinar: Application Security and the Internet of Things

More from Application Security

Critically close to zero(day): Exploiting Microsoft Kernel streaming service

10 min read - Last month Microsoft patched a vulnerability in the Microsoft Kernel Streaming Server, a Windows kernel component used in the virtualization and sharing of camera devices. The vulnerability, CVE-2023-36802, allows a local attacker to escalate privileges to SYSTEM. This blog post details my process of exploring a new attack surface in the Windows kernel, finding a 0-day vulnerability, exploring an interesting bug class, and building a stable exploit. This post doesn’t require any specialized Windows kernel knowledge to follow along, though…

Gozi strikes again, targeting banks, cryptocurrency and more

3 min read - In the world of cybercrime, malware plays a prominent role. One such malware, Gozi, emerged in 2006 as Gozi CRM, also known as CRM or Papras. Initially offered as a crime-as-a-service (CaaS) platform called 76Service, Gozi quickly gained notoriety for its advanced capabilities. Over time, Gozi underwent a significant transformation and became associated with other malware strains, such as Ursnif (Snifula) and Vawtrak/Neverquest. Now, in a recent campaign, Gozi has set its sights on banks, financial services and cryptocurrency platforms,…

Vulnerability management, its impact and threat modeling methodologies

7 min read - Vulnerability management is a security practice designed to avoid events that could potentially harm an organization. It is a regular ongoing process that identifies, assesses, and manages vulnerabilities across all the components of an IT ecosystem. Cybersecurity is one of the major priorities many organizations struggle to stay on top of. There is a huge increase in the number of cyberattacks carried out by cybercriminals to steal valuable information from businesses. Hence to encounter these attacks, organizations are now focusing…

X-Force releases detection & response framework for managed file transfer software

5 min read - How AI can help defenders scale detection guidance for enterprise software tools If we look back at mass exploitation events that shook the security industry like Log4j, Atlassian, and Microsoft Exchange when these solutions were actively being exploited by attackers, the exploits may have been associated with a different CVE, but the detection and response guidance being released by the various security vendors had many similarities (e.g., Log4shell vs. Log4j2 vs. MOVEit vs. Spring4Shell vs. Microsoft Exchange vs. ProxyShell vs.…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today