Editor’s Note: This article was originally published in September. The version below has been updated from the original.
Whether at the office, on the road, or at home, you are likely using at least one smart or connected device. As more of these ‘things’ come online, the potential for a domino effect with cyber crime increases. For business leaders, this an opportunity to reassess existing security infrastructure. Fortunately, the rules are the same as usual–segmentation with layered security. What’s different is a critical need to increase awareness and visibility and not make blind assumptions.
Read the full story….
Earlier this year, analyst firm Gartner predicted that 8.4 billion devices would be in use in 2017. As cyber criminals become more enterprising, security in relation to connected things—or IoT—becomes paramount. To help us understand the implications and what cyber security executives must do in the face of this risk, we talked with Dorit Dor, vice president of products at Check Point Software.
CT: Dorit, before we go too deep into the conversation, let’s start with what we mean when we use the term IoT.
DD: When we talk about IoT—or the Internet of Things—we are usually referring to purpose-built devices that include sensors, communication abilities, and computer logic. For instance, medical devices, video cameras, networked machines at local transit stations, smart vending machines, and any number of devices within our homes, or even in or on our bodies are part of IoT. All of these have processors, operating systems (OS), software, and unfortunately at times—vulnerabilities—just like any PC. There is nothing magical about these “things.” They’re just purpose-built computers connected to the network.
CT: Can you give us a couple of examples where hackers have exploited IoT insecurities?
DD: Sure. Recently, Check Point uncovered a vulnerability that lets an outsider take control over various home appliances that are part of the LG Smart ThinQ platform*: refrigerators, ovens, washer and dryer machines, air conditioners, and home-cleaning bots. What we found was that we were able to remotely control the LG HomeBot and its built-in video camera and effectively spy by gaining control and watching live-stream video from within the home. You might think this doesn’t affect the enterprise, but we all know that we live in an age where business takes place at home and home devices are used in the business.
I’ll give you another example. Last October we witnessed an attack called Mirai, which targeted home surveillance cameras, routers, and set-top boxes. Hackers used a simple exploit in the form of a default password and managed to take over around 200,000 devices and use them for a DDoS attack against a major Domain Name Service (DNS) Infrastructure in North America. As a result, some of very popular web sites serviced by that DNS were knocked out for a few hours. I think we will see more such attacks in less-sophisticated IoT devices as more “things” come online.
CT: So where does the security problem come into play?
DD: Not all IoT devices are built the same. Some can have inherent flaws that are known, making them easy targets, from a hacker’s perspective. For instance, there could be a problem with the operating system or the software. Perhaps the device wasn’t designed or implemented correctly.
Outside of a product recall, some devices don’t even have any update capabilities. Or, they weren’t designed with security in mind to begin with—leaving them prone to future attacks. This is especially true with some of the low-cost/low-power/fast-to-market manufacturers.
On top of that, people dealing with IoT are at times less familiar with the dangers than those of us in the enterprise world who know the risks very well. Once this gap is closed and people get it, environments will become more secure.
CT: Who should be held accountable here?
DD: Let’s start with the fact that we all need to take responsibility. Too often we see organizations approaching IoT projects with security as an afterthought rather than by design. Many have no idea how self-sabotaging this can be. Effective security needs to be implemented at the architectural level, from the ground up. It’s your best bet at prevention, versus merely detecting a problem once it’s in. But you can’t stop there. When organizations select their various IoT device providers, they need to conduct due diligence to make sure there are reasonable security mechanisms in place—and if possible, are upgradeable in the field.
When you deploy a device, start by asking yourself if it’s secure. You can’t assume manufacturers have done the work for you. You need to always think about how to protect your organization. Smart devices need to be thoroughly reviewed and secured like any other device on the network—no exceptions. The good news is that much of this can be done with standard tools available today.
Start with segmentation—the same principal we’ve known for more than 20 years in security. Different devices need to go in different segments of the network based on their security level and their purpose, with firewalls and policies that control access and communication. If your cameras are located in a different segment than your PCs and your servers, it’s much easier to control who is allowed to access the camera and to prevent the cameras from accessing your servers. Anything you can do to make it harder on cyber criminals is a good thing.
In addition to segmentation, advanced threat prevention techniques can stop attackers from exploiting vulnerabilities in the software of IoT devices. I can’t stress enough that whether you’re talking about a server, a computer, or an IoT device, you have to exercise the same common sense.
CT: What about manufacturers? How liable are they if what they manufacture proves to be insecure?
DD: Interestingly, we are just starting to see governments try to enforce more accountability. Last month we heard rumblings in Europe about authorities pressing manufacturers to introduce security ratings for their wi-fi products. And even more recently, on Aug. 1, a group of US senators introduced a bill called the Internet of Things Cybersecurity Improvement Act of 2017. It draws from the expertise of the National Institute of Standards and Technology (NIST). The bill would require that IoT devices sold to the U.S. government meet three standards: 1) Devices would have to be free of any known security vulnerabilities; 2) They would have to be able to be updated with patches; and 3) They would have to let users change their default passwords. These guidelines might seem obvious, but it’s an important step in the right direction.
CT: Any last thoughts?
DD: Analysts predict 25 percent of cyber attacks in 2020 will target IoT environments. This is real and it’s serious. We need to look at IoT security today with a practical view. And, think about what’s ahead. What we see right now is just the beginning of something else to come.
As I mentioned earlier, connected devices have the same vulnerabilities as any computer. It’s simply another version of same story. To have a path to a future world of IoT that is secure, you need to implement like any other major IT project: Build from the ground up with a security architecture in mind; review all devices alongside their security capabilities; and create multiple layers of protection within the network. So, if a flawed device is exploited by hackers, the breach will be contained within the device segment, and will not affect other elements of your infrastructure. Remember: Hackers will try to use IoT devices as beachheads into other parts of the network.
*Learn more about the LG vulnerability at the Check Point blog.