ISTR Insights: The Internet of Things (IoT) and the Concerns of Convenience

Blog Feature Image: 

ISTR_Twitter_440x220.jpg

The Internet of Things (IoT) provides us with ever-expanding convenience, inter-connecting nearly every aspect of daily life. We can connect to our homes and our workplace—and points between—to track our workouts, navigate maps, adjust our home thermostat, sell items we no longer need or want, schedule appointments, sync to-do and shopping lists with others (and our home refrigerators!), and even check to see who’s ringing our doorbell when we’re away from home.

Many companies allow or even require employees to bring and use their own devices to work both on- and off-site. We’re no longer chained to the desk—we can take conference calls, answer email and respond to instant messages from co-workers, and access our work files while we’re travelling or at home.

According to the Symantec2016 Internet Security Threat Report Vol. 21 (ISTR), there are currently 25 internet-connected devices for every 100 inhabitants in the USA. Gartner forecasts that 20.8 billion connected things will be in use worldwide in 2020.

How does it impact your enterprise? Is the convenience of connectivity worth the security concerns that are inevitable?

(Note: Click the image to view the full infographic.)

Insecurity of Things?

The number of mobile vulnerabilities has increased every year over the past three years, according to the 2016 Internet Security Threat Report. Over the last year, Symantec has seen an increase in proof-of-concept attacks and growing numbers of IoT attacks in the wild. In numerous cases, the vulnerabilities were obvious and all too easy to exploit. IoT devices often lack stringent security measures, and some attackers are able to exploit vulnerabilities in the operating systems found in several IoT devices and routers.

Example of hacked IoT:

• Cars. Fiat Chrysler recalled 1.4 million vehicles after researchers demonstrated a proof-of-concept attack where they managed to take control of the vehicle remotely. In the UK, thieves hacked keyless entry systems to steal cars.
• Smart home devices. Millions of homes are vulnerable to cyberattacks. Symantec research found multiple vulnerabilities in 50 commercially available devices, including a smart door lock that could be opened remotely online without a password.
• Medical devices. Researchers have found potentially deadly vulnerabilities in dozens of devices such as insulin pumps, x-ray systems, CT-scanners, medical refrigerators, and implantable defibrillators.
• Smart TVs. Hundreds of millions of internet-connected TVs are potentially vulnerable to click fraud, botnets, data theft, and even ransomware, according to Symantec research.
• Embedded devices. Thousands of everyday devices, including routers, webcams, and Internet phones, share the same hard-coded SSH and HTTPS server certificates, leaving more than 4 million devices vulnerable to interception and unauthorized access.

The diversity of threats mirrors the diversity of devices. Beyond phones and tablets, there are increasing numbers of internet-connected wearable devices, and new car models are powerful rolling networks, with navigation, communication, entertainment, and engine-management computers on board. Each new connected device introduced to a network becomes a potential entry point for cyber attackers.

How to Protect Corporate Data

As multiple devices connect to the enterprise network, we encounter a trade-off between more agile productivity and the unprecedented threat of losing customer or employee information, product or financial details, or intellectual property—data that should be protected and accessed by only those who are authorized to do so. The 2016 Internet Security Threat Report provides some guidelines for protecting corporate data:

1. Where possible, implement a policy that restricts unauthorized devices, such as external portable hard drives and other removable media.
2. If a Bring Your Own Device (BYOD) policy is in place, ensure all devices allowed on company networks have adequate security protections.
3. Be aggressive in updating and patching operating systems, software, browsers, and software plugins.
4. Enforce an effective password policy. Ensure passwords are strong.
5. Create and maintain regular backups of critical systems, as well as endpoints.
6. Restrict email attachments, and configure mail servers to block email that contains file attachments commonly used to spread viruses.
7. Ensure infection and incident response procedures are in place.
8. Educate employees about good security habits.

Protect the Connection

Standards for protecting the IoT are still very early in development. Crucial elements of effective security requires layers of security built into devices and endpoint management, including authenti­cation, code signing, and on-device security (such as Embedded Critical System Protection technology). Analytics, auditing, and alerting are also key to understanding the nature of threats emerging in this area. Finally, strong SSL/TLS encryption tech­nology plays a crucial role in authentication and data protection.

To protect valuable enterprise data from attackers who may gain access through employee mobile devices, IT security must be devised, implemented, and enforced. Encryption and data loss prevention strategies are critical.

• Using multi-factor authentication makes it more difficult for unauthorized users to access your network.
• Symantec Data Loss Prevention can detect data that’s left (or is in danger of leaving) your organization.
• Symantec encryption can ensure sensitive data is protected no matter where it’s located.

Employees Are the Gatekeepers

Having a strong cybersecurity framework and educating employees about good digital hygiene—in the office, at home, or on the road—is critical to the healthy integration of the IoT and enterprise. Some guidelines for employee digital education policies include:

• Regularly check a device manufacturer’s web site for updates, and maintain current status.
• Turn off a device—or at least disconnect from the network—when you’re not actively using it.
• Many companies share and sell information you provide during device or software setup; consider the actual cost of “free” and limit information you share.
• Don’t use your name (or the company name) in the device name.
• Research and consider the reputation of a device manufacturer, as well as software developers and vendors.
• Use the strongest encryption available when setting up your IoT WiFi network, and use a separate home network whenever possible.
• Be vigilant when purchasing used IoT devices; they may have been compromised.

Managing risk while embracing the IoT convenience continues to be a challenge. Employees often overlook potential security risks, and many are simply unaware of how their digital behavior can place their company at risk of data loss or breach. The inconvenience of a hacked fitness monitor or home refrigerator may be understood, but vulnerability in cars and medical devices can lead to serious injury or even death.

To attain confidence in the convenience of the IoT, businesses and employees need current and continued security information, and manufacturers need to prioritize and build security into devices, achieving the balance between innovation, ease-of-use, and time-to-market constraints.