Security needs to be baked into IoT devices for there to be any chance of halting a DDoS attack, according to security experts.
Forrester predicts that more than 500,000 internet of things (IoT) devices will suffer a compromise in 2017, dwarfing Heartbleed. Drop the mic — enough said.
With the sheer velocity of how the distributed denial-of-service (DDoS) attacks spread through common household items such as DVR players, makes this sector scary from a security standpoint.
“Today, firms are developing IoT firmware with open source components in a rush to market. Unfortunately, many are delivering these IoT solutions without good plans for updates, leaving them open to not only vulnerabilities but vulnerabilities security teams cannot remediate quickly,” write Forrester analysts.
The analyst firm adds that when smart thermostats alone exceed over 1 million devices, it’s not hard to imagine a vulnerability that easily exceeds the scale of Heartbleed. Security as an afterthought for IoT devices is not an option, especially when you can’t patch IoT firmware because the vendor didn’t plan for over-the-air patching.
Alex Vaystikh, co-founder/CTO of advanced threat detection software provider SecBI, says small-to-midsize businesses and enterprises alike will suffer breaches originating from an insecure IoT device connected to the network. The access point will be a security camera, climate control, an old network printer, or even a remote-controlled lightbulb. This was demonstrated in September in a major DDoS attack on the web site of security expert Brian Krebs. A hacker found a vulnerability in a brand of IoT camera and caused millions of them to simultaneously make HTTP requests from Krebs’ site.
“It successfully crashed the site, but DDoS attacks are not a great way to make money. However, imagine an IoT camera within a corporate network being hacked. If that network also contains the company’s database center, there’s no way to stop the hacker from making a lateral move from the compromised camera to the database,” Vaystikh said. “This should scare organizations into questioning the popular BYOD mentality. We are already seeing a lot of CCTVs being hacked within organizations.”
Florin Lazurca, senior technical manager at Citrix, believes that consumers will be a target of opportunity in 2017. Innovative criminal enterprises will devise ways to monetize on potentially billions of internet-facing devices that many times do not meet stringent security controls. “Want to browse the internet? Pay the ransom. Want to use your baby monitor? Pay the ransom. Want to watch your smart TV? Pay the ransom,” Lazurca says.
Florin Lazurca, senior technical manager at Citrix
Mike Kelly, CTO of Blue Medora, says, more connected devices will create more data, which has to be securely shared, stored, managed and analyzed. As a result, databases will become more complex and the management burden will increase. Those organizations that can most effectively monitor their database layer to optimize peak performance and resolve bottlenecks will be in a better position to exploit the opportunities the IoT will bring, he says.
Lucas Moody, CISO at Palo Alto Networks, says security has to be baked into the IoT devices – not be an afterthought. The bloom of IoT devices has security practitioners in the hot seat, with industry analysts suggesting a possible surge up to 20 billion devices by 2020.
“Given the recent upward trend in both frequency and intensity of DDoS attacks of late, 2017 will introduce an entirely new challenge that security teams will need to contend with; how do we secure devices, many of which are by design dumb and, for that matter, cheap?,” he says.
Large corporations are still challenged with finding security talent to manage security in the “traditional” sense, leaving IoT startups to fend for themselves in a digital economy.
Moody asks, can they keep up? For the interconnected future of cars, televisions and refrigerators, maybe, but maintaining the security of smaller – and seemingly less critical items – such as toasters, thermostats, and pet feeders, it seems unlikely.
“Security has to be baked into these technologies from the conception and design stages all throughout development and roll-out. Security practitioners will need to do more than just scramble to develop strategies to address this pivotal trend,” he says.
Corey Nachreiner, CTO at WatchGuard Technologies, predicts that IoT devices will become the de facto target for botnet zombies. With the shear volume of internet-connected devices growing every year, IoT represents a huge attack surface for hackers. More disturbingly, many IoT manufacturers do not create devices with security in mind, and therefore release devices full of potential vulnerabilities. Many of their products have vulnerabilities that were common a decade ago, providing easy pickings for cyber criminals.
Many IoT devices coming on the market have proprietary operating systems, and offer very little compute and storage resources. Hackers would have to learn new skills to reverse engineer these devices, and they don’t provide much in terms of resources or data for the attacker to steal or monetize. On the other hand, another class of IoT products are devices running embedded Linux. These devices look very familiar to hackers. They already have tools and malware designed to target them, so “pwning” them is as familiar as hacking any Linux computer.
“On top of that, the manufacturers releasing these devices seem to follow circa 2000 software development and security practices. Many IoT devices expose network services with default passwords that are simple for attackers to abuse,” Nachreiner says.
He cited the leaking of the source code for the Mirai IoT botnet. This botnet included a scanner that automatically searched the internet to find unsecured, Linux-based IoT devices, and take them over using default credentials. With this leaked code, criminals were able to build huge botnets consisting of hundreds of thousands of IoT devices. They used these IoT botnets to launch gigantic DDoS attacks that generated up to 1Tbps of traffic; the largest ever recorded.
In 2017, criminals will expand beyond DDoS attacks and leverage these botnets for click-jacking and spam campaigns to monetize IoT attacks in the same way they monetized traditional computer botnets. Expect to see IoT botnets explode next year, he says.
Mike Davis, CTO at CounterTack, believes IoT will continue to be a part of the threat conversation in the coming year, but fundamentally there will be a massive change in the risks associated with the devices — it won’t be about security, it will be about patching.
Hold your IoT security hypberbole
Stan Black, CSO at Citrix, says we need to dispel security myths around emerging technology like IoT, machine learning and artificial intelligence.
“Many people are afraid to adopt these emerging technologies for fear that they may be their security downfall, but as with any technology, the same security 1-2-3s apply. Change the admin username and password, allow and enable devices on separate networks (separate from the networks used to pass sensitive data), create management and access policies, and above all, make sure that employees are educated about how, when and where to use these kinds of technologies,” he says.
Adoption of emerging tech like IoT can actually have more security benefits than challenges, if implemented correctly, Black says. The same goes for machine learning. The security wave of the future includes these technologies, so it’s best for businesses to learn about them early, learn about the benefits and reap the rewards of clouds, devices and networks that can learn from, and adapt to, changing behaviors to make for a stronger security posture.
The wave of the future will be computers that can grant or deny access based on fingerprinted keyboards that can sense the normal amount of pressure your fingers normally apply. Taking advantages of benefits like these will help companies move to a new security infrastructure and mindset, he predicts.
“The mobile devices we depend on every day are loaded with sensors, heat, touch, water, impact, light, motion, location, acceleration, proximity, etc. These technologies have numerous applications including sensing motion and location to ensure people are safe when they travel,” Black adds.
These devices are rarely protected or maintained with the same vigor as corporate IT systems, making them generally more vulnerable to being compromised and drafted into a zombie army. This situation is nothing new, but in the next year we can expect to see “personal networks of things” reside in homes with gigabit internet connections — like those offered by Google and AT&T — and so make home networks far more interesting, especially if vulnerabilities in popular home devices can be exploited mechanically (e.g., how the Mirai botnet was built).
Consumers will need to protect their personal networks from this new version of Mirai botnets, creating demand for services that safeguard them. More importantly, vendors will need to adopt better standards for protection of devices. If the Mirai botnet is any indication, the lack of security in device design is still quite profound, Black says.
Speaking of standards
Steven Sarnecki, vice president of federal and public sector at OSIsoft, pointed to the National Institutes of Standards and Technology’s (NIST) National Cyber Center of Excellence for a glimpse of what is to come. NIST is currently piloting a project to assess how energy companies can better utilize connected devices to integrate and increase security with hopes of sharing those best practices and insights across the energy sector.
“As more companies wake up to the reality of IoT security threats, these solutions will become more commonplace, enabling enterprises to markedly increase their security footprint with only minimal incremental cost,” he says.
Sarnecki adds that in 2017 he would expect a large portion of IoT users, especially within the enterprise and industrial spaces, to begin to seriously consider the “internet of threats” aspect posed by IoT to their networks. Energy companies, water utilities, and many other critical infrastructure sectors rely on connected devices to support their missions.
Jeannie Warner, security manager at WhiteHat Security, agrees that new guidelines will emerge from organizations such as NIST requiring that application security vendors partner with device manufacturers and testing labs to deliver secure IoT systems.
“The internet of things is growing daily, with smart devices and controlling applications at the core of every business from healthcare to smart cars and smart buildings. It’s essential to protect smart anything from attackers attempting to exploit their vulnerabilities,” she says.
In the same way manufacturing safety testing via the American National Standards Institute controls new releases in devices, she believes NIST SP 800 or a similar body will form guidelines for a comprehensive security assurance through the integration of dynamic application scanning technology and rigorous device controls testing.
Commonalities in all IoT systems include controls for tracking and sensing interfaces, combined with web- or mobile-enabled control applications that combine to expand the borders of the security ecosystem, she says. New guidelines will (ideally) force more application security vendors to partner with device control testing labs to support manufacturing earlier in the development process, helping the innovative organizations to manage risk by identifying vulnerabilities early in development, continue to monitor challenges during testing, and help release more secure products.
The enterprise has paid attention to IoT for some time, though 2017 will be the year we move past the “wow” phase and into the “how do we do we securely and effectively bring IoT to the enterprise, how do we handle the high speed data ingest, and how do we optimize analytics and decisions based on IOT data,” says Redis Labs Vice President of Product Marketing Leena Joshi.
Mark Bregman, Chief Technology Officer at NetApp, believes 2017 will be about capitalizing on the value of data. The explosion of data in today’s digital economy has introduced new data types, privacy and security concerns, the need for scale and a shift from using data to run the business to recognizing that data is the business.
Off-line data analytics and threat hunting become endless money pits, says Gunter Ollmann of Vectra Networks. “We’re told, and we observe, that each year our corporate data doubles. That power-of-two exponential growth, after merely four years of storing, mining, and analyzing logs for threats, means a 16-fold increase in overall costs — with an accompanying scaled delay in uncovering past threats.”
Cybersecurity will be the most prominent big data use case, says Quentin Gallivan, CEO of Pentaho, a Hitachi Group Company. As with election polls, detecting cybersecurity breaches depends on understanding complexities of human behavior. Accurate predictions depend upon blending structured data with sentiment analysis, location and other data.
This then opens another door for hackers. WatchGuard’s Nachreiner says attackers will start leveraging machine learning and AI to improve malware and attacks.
“In the past few years, cyber security companies have started leveraging these technologies to help defend our organizations. One of the big problems in infosec today is we are too reactive, and not predictive enough when it comes to new threats. Sure, once we recognize a piece of malware or a new attack pattern, we can design systems to identify and block that one threat, but hackers have become infinitely evasive. They have found techniques that allow them to continually change their attacks and malware so regularly that humans and even basic automated systems can’t keep up with the latest attack patterns. Wouldn’t it be great if we had technology that predicted the next threats instead?,” he says.
Machine learning can help us do just that. By feeding a machine learning system a gigantic dataset of good and bad files, or good and bad network traffic, it can start to recognize attributes of “badness” and “goodness” that humans never would have noticed on their own.
“Next year, I expect the more advanced cyber criminals to start somehow leveraging machine learning to improve their attacks and malware,” he says, adding that today, both good and bad guys have easy access to open source machine learning libraries like Google’s TensorFlow.
The security community as a whole will utilize big data more effectively in order to identify trends and threats, predicts Matt Rodgers, head of security strategy at E8 Security. “Organizations have the information they need, but they cannot find it. In 2017, companies will start looking at their data sets through advanced analytics to identify trends and risks. Big companies are already starting to augment their existing SIEM technology with behavior analytics capabilities to this end,” he says.