By Murtaza Bhatia
Security today is probably more complex than ever before and it isn’t as simple as deploying technology to safe guard the IT assets. Added to that with the advent of Internet of Things (IoT), it introduces security challenges that cannot be resolved with traditional measures.
According to the Dimension Data’s Global Threat Intelligence Report, 2017, over the next three years, the number of connected devices will nearly triple and for hackers each of those devices are a potential end-point to exploit. It is this convergence of IT and non-IT devices that will lead to enormous amounts of security vulnerabilities to manage.
To understand the gravity of the situation, let’s consider some of the cyberattacks that took place through IoT. Last year Mirai botnet took down Etsy, GitHub, Netflix, Shopify, SoundCloud, Spotify, Twitter, and several other major websites. This piece of malicious code took advantage of devices running out-of-date versions of the Linux kernel and relied on the fact that most users do not change the default usernames/passwords on their devices.
Then there was the cold attack in Finland, wherein cybercriminals managed to hack into the central heating system of two housing complexes in Finland, causing the system to continuously reboot, so that the heating never really kicked in. And then this year, saw attacks by Brickerbot, that permanently incapacitates poorly secured Internet of Things devices. In other words, killing the device.
As the number of devices on IoT increase, the attempted attacks on these devices will only increase simultaneously. There are various ways in which security of an IoT can be compromised. For example:
- Data collected from the IoT system could be made available to competitors or sold illegally. These could be extremely valuable information points and the availability of this data to unauthorized parties can also expose the organization to legal issues.
- Attackers may access IoT cameras and other devices to spy on people. They can use the devices to obtain personal information.
- Then there are the sensors that can be made inaccurate. They could turn off the temperature monitoring for a server rack, and turning up the data center thermostat, which could result in undetected failure of devices due to extreme heat. This is critical, since it may well have a financial impact, it also has the potential to affect human lives (e.g. when a flood gate is open, but the control centre is presented with “close”).
- Last but not the least, attackers can compromise and use the IoT devices as a launch pad for other internal and external attacks.
Like most other IT devices, IoT is no different and comes under the same radar when it comes to cyberattacks. Mirai Botnet is a classic example of that. While the paragraph gave an overview of what an attack on IoT can do, let’s look at how DDoS attacks using IoT device can bring an organization to a standstill in various ways. They are:
- Attacks can prevent customers, partners, and others from accessing your organization’s internet-facing resources, impacting sales and other daily operations.
- Attacks can prevent employees and internal systems from accessing the internet, seriously disrupting many facets of operations.
- Attacks may knock one or more organizations off the internet which provide services to your organization, causing your organization’s supply chain to be broken.
- Attacks can damage your organization’s reputation, and potentially result in blacklisting some or all your organization’s internet presence by having compromised IoT and OT devices within your organization participate in DDoS attacks against other organizations.
Now the question is what can be done to ensure that cyber threats are mitigated effectively and efficiently. Some of the measures that should be taken are:
- The first one is, if the device doesn’t internet access, then do not configure it.
- Keep all the IoT devices updated and configure them to automatically download and install updates whenever available.
- Before configuring the devices, change the password and periodically revise them.
- Expand business continuity and incident response to cover DDoS attacks.
- Extend existing patch management and software configuration management process and technology to include IoT devices.
IoT is here to stay and so are the attacks on these devices. Caution while setting up these devices and a continuous and watchful eye on your network can help mitigate security breaches by way of IoT devices.
The author is Practice Head, Security & Data Centre, Dimension Data, India