Internet of Things: Small Business’s Latest Security Threat
Every wireless sensor or networked device, including those IoT items, could let attackers into your system.
Credit: ShutterstockWhen many small businesses think about developing a security system, the focus is primarily on securing the devices that involve the exchange and storage of important data – computers, smartphones and tablets. However, more devices collectively known as the Internet of Things (IoT) are connecting to the company network, creating a new segment of cybersecurity threats.
"The problem with IoT devices is that every wireless sensor and each networked device provides a possible entry point for attackers," explained Rob Lundahl, marketing coordinator with Nuspire Network, a managed security service provider. "If attackers are able to bring down large scale websites, how difficult do you think it would be to infiltrate a small business network?"
IoT is composed of the dozens of devices hiding in plain sight, some that you may not even realize are connected to the internet. These include alarm systems, web cameras, routers, GPS, vehicle computers, HVAC systems and even medical equipment like pacemakers. Most of these devices were never designed with internet security in mind; yet, they have fairly robust internet connectivity capabilities.
"Once a device is located by an attacker — usually with an automated program — they will attempt to connect using the default administrator credentials, which most users never change," said Leon Adato, head geek with SolarWinds. "From there, installing malware is a simple process."
Malware in IoT was an afterthought until late 2016 when compromised devices caused a Distributed Denial of Service (DDoS) attack that took down many popular websites for an extended period. After source code for malware called Mirai was released, it was used to infect insecure IoT devices. Once the devices are infected with malware, the device becomes a botnet or zombie that can be used to create DDoS attacks against other networks. Cloud provider Dyn and the country of Liberia are two high-profile IoT-botnet DDoS attacks.
Because IoT devices lack built-in security, they are an easy target, according to Ofer Amitai, CEO and co-founder of Portnox, which provides network access control and management solutions. "When a hacker takes control of an IoT device, he promptly takes measures both to deny access to the legitimate owners and to start controlling this device remotely. Once that happens, all the hacker needs to do is send a command to the controlled botnet to start generating traffic against the target servers."
While this model of a massive DDOS attack based on botnets is nothing new and has been observed for years, Amitai added, the big and dangerous change is the simplicity and speed of building such a botnet based on compromised IoT devices.
Infected IoT impacts a small business in at least multiple ways. The devices themselves are more sluggish and don't work effectively because they are bogged down with malware. The malware can spread to other connected devices within the same network, putting data at risk. And the devices can be used to cause disruption against other networks, which could then end up affecting your own business operations, i.e., your infected devices target a DDoS attack against your company's cloud provider and disconnects you from your customers.
To avoid waking up one day to massive vulnerabilities that affect sensitive data, security specialists must plan to classify, monitor and respond to threats before they compromise the entire organization, said Vanessa Henri, cybersecurity legal expert at Above Security.
"Small businesses should carefully control and choose the IoT devices that are connected to the company's network and be mindful of BYOD policies," she explained. "Smart locks, connected cameras to monitor in real-time and mobile credit card readers that connect to smartphones and tablets are examples of smart IoT devices that can help avoid vulnerabilities."
Addressing IoT security is all about using common sense, SolarWind's Adato added. "If you have a device and it is connected to the internet, take the basic steps to get into the administration panel and change the admin name, the password, etc. Also turn off the ability to get into the admin panel from the internet. If it has security options, read about them and turn on the ones that make sense."
Other tips to better protect IoT devices from being turned into zombies include:
- If the device doesn't need to be connected to the internet, disconnect it from the network. "Some things have internet capabilities that you didn't ask for and will never use," said Adato.
- Carefully manage the inventory of all your connected IoT devices. "Don't assume you know all you have; it's very possible that one of your employees or suppliers is already running on your corporate network a new and unlisted IoT device," said Amitai.
- Control the process of how you connect new devices and prevent unsanctioned devices from plugging into your network. Amitai recommended that all IoT devices be approved before they are allowed to connect.
- Isolate IoT devices as much as possible from other computers and servers on you network. By doing so, the risk of devices storing sensitive data becoming compromised due to an IoT infection decreases.
IoT isn't going anywhere. The market is growing, with developers continuously coming up with ways to connect virtually anything to the internet. Until these developers bake security into the devices, small businesses will have to remain vigilant to recognizing IoT's potential security risks.