Last year’s cyberattack against internet provider Dyn was something of a milestone. For the first time in a large-scale campaign, the attackers didn’t go directly at their target’s servers. Instead, they pressed Mirai malware into service. This malware automatically discovers Internet of Things (IoT) devices and leverages poor IoT security, allowing the attackers to link about 100,000 of these ill-secured devices into a centrally controlled botnet. They then launched a highly successful distributed denial-of-service (DDoS) attack against Dyn’s servers.

Mirai-powered fraudsters struck again the end of last year, this time wiping out internet service for nearly 1 million Deutsche Telekom customers. Moreover, investigators suggested that the operators behind the Dyn attack may have gone public with the malware’s source code. This could potentially give other cybercriminals a leg up in developing their own flavors of Mirai to attack IoT devices.

The State of IoT Security

There are two unimpeachable truths about IoT devices. The first is that the volume of these devices is exploding. Gartner estimated that about 6.4 billion IoT devices were in use in 2016, a number the firm expects to more than triple in just three years to 21 billion.

The second truth is that these devices, which can hold massive troves of personal, operational and corporate data, are notoriously insecure. Forrester Research noted that IoT security is in its “creation phase” and doesn’t have established quality controls or standards. In fact, they are widely manufactured with few, if any, standards, and often arrive with weak default passwords.

IoT Security Spending Skyrocketing

“The affordability and compactness of computing is what places IoT technology within affordable reach,” said Scott Crawford, research director for information security at 451 Research. “Without demonstrated threats, manufacturers may see little compulsion to incorporate strong security in these devices and systems.”

Organizations are quickly ratcheting up IoT security spending. Gartner predicted that such spending would amount to roughly $550 million by next year, a figure that could skyrocket by 2020. The veritable boom of IoT devices and the pressing need to secure them could potentially lead to extreme shortages of IoT security specialists within two to three years. Bear in mind, IT professionals must secure not only the devices themselves, but also their operating systems, platforms, networks and other interconnected systems.

This all translates into extra security precautions IT leaders must apply to various routine business activities. Consider merger and acquisition activity, for example. Obviously, an overall security assessment of the target company’s infrastructure is a key requirement.

“If IoT devices are authenticated and managed through identity management systems, their integration should parallel that of IT systems and endpoints,” Crawford noted. He added that acquiring companies must assure that IoT networks and clusters are somehow segmented from unexpected exposure that may result from the transition, especially for sensitive operational environments.

Securing Your IoT Environment

What else can enterprises do to secure the burgeoning IoT environment today? For one thing, security leaders should be aware of industry groups that have taken the lead in bolstering the security of operational technologies, including IoT devices. These groups include the North American Electric Reliability Corporation (NERC)’s Critical Infrastructure Protection Committee (CIPC) for electric utilities, the Health Information Trust Alliance (HITRUST) and the Society of Automotive Engineers, which published an invaluable cybersecurity guidebook.

Crawford advised organizations to apply the same principles that they apply to overall IT security to IoT security. Strategists should include IoT deployments in broader strategies for insulating networks and systems from attacks, thus “assuring controls on access to sensitive functionality, protecting confidential data and evaluating the resilience of systems to exploit.”

Crawford also pointed out the growing number of businesses and consultancies seeking to work with enterprises wrestling with IoT security issues. It’s critical, however, to distinguish between legitimate services and vendors merely pushing their potentially insecure products.

The oncoming wave of IoT is unstoppable — although it could be slowed by governmental regulation if device manufacturers don’t step up their game when it comes to security and interoperability standards. For the near term, however, IoT security solutions will be far from standardized, especially given the number of device-makers globally. Cybercriminals know this and will likely redouble efforts to exploit IoT security gaps.

More from Endpoint

Patch Tuesday -> Exploit Wednesday: Pwning Windows Ancillary Function Driver for WinSock (afd.sys) in 24 Hours

‘Patch Tuesday, Exploit Wednesday’ is an old hacker adage that refers to the weaponization of vulnerabilities the day after monthly security patches become publicly available. As security improves and exploit mitigations become more sophisticated, the amount of research and development required to craft a weaponized exploit has increased. This is especially relevant for memory corruption vulnerabilities.Figure 1 — Exploitation timelineHowever, with the addition of new features (and memory-unsafe C code) in the Windows 11 kernel, ripe new attack surfaces can…

When the Absence of Noise Becomes Signal: Defensive Considerations for Lazarus FudModule

In February 2023, X-Force posted a blog entitled “Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers” that details the capabilities of a sample attributed to the Lazarus group leveraged to impair visibility of the malware’s operations. This blog will not rehash analysis of the Lazarus malware sample or Event Tracing for Windows (ETW) as that has been previously covered in the X-Force blog post. This blog will focus on highlighting the opportunities for detection of the FudModule within the…

Cybersecurity in the Next-Generation Space Age, Pt. 3: Securing the New Space

View Part 1, Introduction to New Space, and Part 2, Cybersecurity Threats in New Space, in this series. As we see in the previous article of this series discussing the cybersecurity threats in the New Space, space technology is advancing at an unprecedented rate — with new technologies being launched into orbit at an increasingly rapid pace. The need to ensure the security and safety of these technologies has never been more pressing. So, let’s discover a range of measures…

Backdoor Deployment and Ransomware: Top Threats Identified in X-Force Threat Intelligence Index 2023

Deployment of backdoors was the number one action on objective taken by threat actors last year, according to the 2023 IBM Security X-Force Threat Intelligence Index — a comprehensive analysis of our research data collected throughout the year. Backdoor access is now among the hottest commodities on the dark web and can sell for thousands of dollars, compared to credit card data — which can go for as low as $10. On the dark web — a veritable eBay for…