February 2, 2017 By Bill Laberis 3 min read

Last year’s cyberattack against internet provider Dyn was something of a milestone. For the first time in a large-scale campaign, the attackers didn’t go directly at their target’s servers. Instead, they pressed Mirai malware into service. This malware automatically discovers Internet of Things (IoT) devices and leverages poor IoT security, allowing the attackers to link about 100,000 of these ill-secured devices into a centrally controlled botnet. They then launched a highly successful distributed denial-of-service (DDoS) attack against Dyn’s servers.

Mirai-powered fraudsters struck again the end of last year, this time wiping out internet service for nearly 1 million Deutsche Telekom customers. Moreover, investigators suggested that the operators behind the Dyn attack may have gone public with the malware’s source code. This could potentially give other cybercriminals a leg up in developing their own flavors of Mirai to attack IoT devices.

The State of IoT Security

There are two unimpeachable truths about IoT devices. The first is that the volume of these devices is exploding. Gartner estimated that about 6.4 billion IoT devices were in use in 2016, a number the firm expects to more than triple in just three years to 21 billion.

The second truth is that these devices, which can hold massive troves of personal, operational and corporate data, are notoriously insecure. Forrester Research noted that IoT security is in its “creation phase” and doesn’t have established quality controls or standards. In fact, they are widely manufactured with few, if any, standards, and often arrive with weak default passwords.

IoT Security Spending Skyrocketing

“The affordability and compactness of computing is what places IoT technology within affordable reach,” said Scott Crawford, research director for information security at 451 Research. “Without demonstrated threats, manufacturers may see little compulsion to incorporate strong security in these devices and systems.”

Organizations are quickly ratcheting up IoT security spending. Gartner predicted that such spending would amount to roughly $550 million by next year, a figure that could skyrocket by 2020. The veritable boom of IoT devices and the pressing need to secure them could potentially lead to extreme shortages of IoT security specialists within two to three years. Bear in mind, IT professionals must secure not only the devices themselves, but also their operating systems, platforms, networks and other interconnected systems.

This all translates into extra security precautions IT leaders must apply to various routine business activities. Consider merger and acquisition activity, for example. Obviously, an overall security assessment of the target company’s infrastructure is a key requirement.

“If IoT devices are authenticated and managed through identity management systems, their integration should parallel that of IT systems and endpoints,” Crawford noted. He added that acquiring companies must assure that IoT networks and clusters are somehow segmented from unexpected exposure that may result from the transition, especially for sensitive operational environments.

Securing Your IoT Environment

What else can enterprises do to secure the burgeoning IoT environment today? For one thing, security leaders should be aware of industry groups that have taken the lead in bolstering the security of operational technologies, including IoT devices. These groups include the North American Electric Reliability Corporation (NERC)’s Critical Infrastructure Protection Committee (CIPC) for electric utilities, the Health Information Trust Alliance (HITRUST) and the Society of Automotive Engineers, which published an invaluable cybersecurity guidebook.

Crawford advised organizations to apply the same principles that they apply to overall IT security to IoT security. Strategists should include IoT deployments in broader strategies for insulating networks and systems from attacks, thus “assuring controls on access to sensitive functionality, protecting confidential data and evaluating the resilience of systems to exploit.”

Crawford also pointed out the growing number of businesses and consultancies seeking to work with enterprises wrestling with IoT security issues. It’s critical, however, to distinguish between legitimate services and vendors merely pushing their potentially insecure products.

The oncoming wave of IoT is unstoppable — although it could be slowed by governmental regulation if device manufacturers don’t step up their game when it comes to security and interoperability standards. For the near term, however, IoT security solutions will be far from standardized, especially given the number of device-makers globally. Cybercriminals know this and will likely redouble efforts to exploit IoT security gaps.

More from Endpoint

Unified endpoint management for purpose-based devices

4 min read - As purpose-built devices become increasingly common, the challenges associated with their unique management and security needs are becoming clear. What are purpose-built devices? Most fall under the category of rugged IoT devices typically used outside of an office environment and which often run on a different operating system than typical office devices. Examples include ruggedized tablets and smartphones, handheld scanners and kiosks. Many different industries are utilizing purpose-built devices, including travel and transportation, retail, warehouse and distribution, manufacturing (including automotive)…

Virtual credit card fraud: An old scam reinvented

3 min read - In today's rapidly evolving financial landscape, as banks continue to broaden their range of services and embrace innovative technologies, they find themselves at the forefront of a dual-edged sword. While these advancements promise greater convenience and accessibility for customers, they also inadvertently expose the financial industry to an ever-shifting spectrum of emerging fraud trends. This delicate balance between new offerings and security controls is a key part of the modern banking challenges. In this blog, we explore such an example.…

Endpoint security in the cloud: What you need to know

9 min read - Cloud security is a buzzword in the world of technology these days — but not without good reason. Endpoint security is now one of the major concerns for businesses across the world. With ever-increasing incidents of data thefts and security breaches, it has become essential for companies to use efficient endpoint security for all their endpoints to prevent any loss of data. Security breaches can lead to billions of dollars worth of loss, not to mention the negative press in…

Does your security program suffer from piecemeal detection and response?

4 min read - Piecemeal Detection and Response (PDR) can manifest in various ways. The most common symptoms of PDR include: Multiple security information and event management (SIEM) tools (e.g., one on-premise and one in the cloud) Spending too much time or energy on integrating detection systems An underperforming security orchestration, automation and response (SOAR) system Only capable of taking automated responses on the endpoint Anomaly detection in silos (e.g., network separate from identity) If any of these symptoms resonate with your organization, it's…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today