No one doubts anymore that internet of things (IoT) devices pose a huge security threat, as a recent massive IoT-fueled DDoS attack made clear. But what many enterprises have yet to wake up to is that major structural changes are needed, involving IT and C-level executives above IT. IoT is a new and different kind of threat that can’t be effectively battled in an old-fashioned way.
From an enterprise’s perspective, there are three sides to the IoT threat: 1) being attacked by an IoT army from around the world; 2) allowing enterprise-owned IoT devices to participate in such an attack against others; and 3) allowing your IoT devices to attack your own company. Making structural changes to your business will do nothing to help you defend against the first scenario, but it could make a profound difference in blocking attack scenarios two and three.
The structural IoT problem is that many of these devices are being purchased and approved far away from IT or the CISO’s team. Consider door locks and light bulbs purchased by Facilities, or beacons purchased by Operations or Marketing. Cases have been reported where penetration testing of a network — which is how a cyberthief might start testing for weaknesses prior to an attack — unintentionally released the IoT locks of doors at headquarters. IoT light bulbs have also been made to flicker in a way that broadcast messages to someone watching a window.
As IoT touches devices that have historically never needed IT approvals, this problem needs a fix. Mission one: Train all employees in all departments what constitutes an IoT device, since manufacturers will use very different marketing terms. Mission two: Require that IT or the CISO’s office approve all of them, without exception.
One huge problem with IoT devices is that some house internal communications capabilities, such as a tiny antenna, ostensibly so that the devices can call home to get, for example, firmware updates. Although self-updating devices might seem great to a facilities manager, they open the door to two-way communications that can bypass all network security monitoring controls.
Yes, other monitors can track all independent wireless signals detected anywhere on a corporate campus, but with most campuses flooded with smartphones, tablets, wearables and wireless laptops, that may not always be a practical defense.
There’s another issue involving oversight. Moving from regular devices to IoT devices often means a much higher price tag. And while that will almost certainly mean additional oversight (a.k.a. micromanaging), it’s oversight from the perspective of cost, not security. A company’s division general manager — or assistant treasurer or some other business manager — won’t be thinking security when dealing with seemingly innocuous items, and that is one of the first things that has to change.
Sign up for CIO Asia eNewsletters.