Blogs

Winning the IoT tug of war

Derek Manky, Global Security Strategist, Fortinet
Derek Manky, Global Security Strategist, Fortinet

In the next few years, businesses may live or die by IoT. Handle it well and your company thrives. Mess it up and you may be faced with an exodus of customers and employees.

There has been plenty of buzz around the Internet of Things (IoT) lately, with discussions around the business opportunities it offers, the conveniences it can potentially bring to the public, and of course, the implications on privacy and data security.

IoT is part of a journey, as the world transitions from Machine-to-Machine (M2M) communications through IoT to the Internet of Everything (IoE). There are three main drivers for it − the proliferation of connected devices globally, the explosive growth of platform independent applications, and mature networking technologies that could connect billions of disparate devices cheaply and effortlessly.

IoT brings about several benefits, including real-time insight/intelligence, 24/7 availability, automation, convenience and cost effectiveness. Enterprises, government agencies and consumers can all benefit from it.

The market opportunities are enormous. Gartner, for instance, estimates that IoT (projected to be made up of some 26 billion devices by 2020) product and service suppliers will generate incremental revenue exceeding $300 billion in 2020. IDC forecasts that the worldwide market for IoT solutions will grow from $1.9 trillion in 2013 to $7.1 trillion in 2020.

Data Loss through IoT a Threat to the Business

IoT will transform the way we do things − be it communicating with people, collaborating or transacting. Many innovative solutions and services will also be created around IoT.

The downside, however, is that IoT will bring substantially higher security risks. First of all, IoT puts a lot more information and activities online. These information and activities can be easily compromised because of two reasons − the exposure of the network is vastly increased with the introduction of IoT devices, and the software powering the IoT devices are often insecure and easily hackable.

In an era when customers and employees expect companies to protect their personal data, this can be a lethal combination. Firms today have the responsibility to safeguard not just their own business assets, but client and staff information on compensation, wealth status, buying and search history, and other sensitive data. This shift from merely protecting customers against unauthorised credit card transactions to safeguarding their personal information and privacy is happening globally, and a violation of these duties could seriously jeopardise a business.

According to a recent Fortinet global survey on IoT, for instance, 62 percent of the respondents said that they would feel “completely violated and extremely angry to the point where I would take action” if they learn that an IoT device in their home was secretly collecting information about them and sharing it with others. If a known IoT device collects data, 66 percent of the respondents insist that only they themselves or parties to whom they have given permission be allowed to access those data.

IoT Devices Easily Hackable

IoT devices are a cinch to break into because they employ a wide variety of modules and common libraries that are usually open source. They also have a tendency to use newer protocols like Universal Plug n Play (UPnP) which have more flaws than older and more established protocols.

Secondly, most IoT manufacturers do not design or build their devices with security in mind, and do not have the necessary response mechanisms when their devices are breached.

Large software vendors like Microsoft and Adobe, for example, have been traditional attack targets and therefore have built secure development lifecycles and frequent patch release cycles. If their software gets hit with a vulnerability, they have product security incident response teams (PSIRTs) to respond promptly to the issue.

In addition, these large software vendors have built many security controls into their products to make it harder for attacks to succeed. Adobe Reader, for instance, now has a sandbox included to provide a higher level of resistance to attack. IoT devices usually don’t have the benefit of such rigorous controls. What’s more, there will be more integration and complexity among IoT devices with passing time, further increasing the number of security flaws. A majority of these will likely be traditional web-based flaws to user interfaces that control the IoT device.

Fortinet’s threat research arm FortiGuard Labs has already detected that hackers are probing non-traditional targets like IoT. Not many attacks have been launched yet but undoubtedly, an upward trajectory is predicted in the months ahead. IoT device attacks represent a path of least resistance and are a prime opportunity for hackers, who know that without proper PSIRT teams in place to manage patches and fix IoT security problems, their attacks can enjoy success for a longer period of time. If a device is connected, has storage, memory and a processor – they are the perfect candidate for attack. Often times, an IoT device will serve as an intermediate ‘launch pad’ to a secondary attack within the internal network.

The Buck Stops at the Network

With IoT’s larger attack surface, endpoint security and management becomes much more fragmented. Most IoT devices wouldn’t come with antivirus control but even if they did, the size and diversity of the IoT ecosystem would make the process impossibly complex to manage.

Network-based inspection, therefore, is the only way forward for IoT. Every network will need a security appliance that is intelligent enough to deeply inspect code written for these non-traditional platforms. We refer to this as platform agnostic inspection, and it is the best way to scale along with IoT.

For every data request, this appliance must be able to ascertain three pieces of critical information − who is the user, where is he going, and what data does he need. This means the network will need to incorporate traditional network protection technologies like firewall, intrusion prevention, Web filtering and antimalware solutions to enforce policies, control applications and prevent data loss. More importantly, that content needs to be inspected due to the growing attack surface. Threats can hide just about anywhere nowadays − it’s easy to find them embedded within otherwise legitimate traffic streams.

Only with such intelligent solutions, well-crafted policies and vigilant IT security personnel can enterprises hope to win the tough battle against IoT security and keep their business on an even keel.

Previous ArticleNext Article

Leave a Reply

GET TAHAWUL TECH IN YOUR INBOX

The free newsletter covering the top industry headlines

Send this to a friend