When Devices Attack: Surviving the IoT Invasion
In the spirit of Halloween, this blog series examines CSO survival techniques and relates them to horror movies. Why? Because if cyber security isn’t done correctly, it can be quite scary.
A machine or robot uprising is a fairly common plot device in horror flicks, and has been for decades.
Just look back 30 years to master of horror Stephen King’s “Maximum Overdrive.” I’ll spare you all of the ins and outs, but here’s the gist: a group of people fight to survive after machines come alive and become homicidal. And it’s backed by a killer AC/DC-led soundtrack.
You might be asking: that’s great Chase, but what’s this got to do with security and CSO survival? Oh, a lot. Especially today.
The Dawn of IoT
It’s called the Internet of Things (IoT) — the collection of devices that are connected to the Internet. According to Gartner, 6.4 billion IoT devices will be in use this year, while Cisco estimates that there will be 50 billion come 2020 (with 250 things connecting to the Internet each second).
And while these devices and machines won’t be homicidal, like in “Maximum Overdrive,” they can be used to do a heck of a lot of damage.
Take the recent pair of colossal distributed denial of service (DDoS) attacks targeting Krebsonsecurity.com and hosting provider OVH. Reaching more than 600 Gbps and 1,000 Gbps, respectively, these DDoS attacks are among the largest on record, and both were launched using botnets comprising hundreds of thousands of unsecured IoT devices, like cameras.
It just takes seconds to grab a device and use it as a botnet for a DDoS attack. Just look at the Mirai botnet that has infected more than 150,000 IoT devices.
That’s what’s so scary about IoT; security holes and vulnerabilities can literally lurk anywhere—and the most dangerous ones are the ones you don’t even think about, or you didn’t know could be hacked.
Take USB charging stations, for example. They’re in airports, conference centers, coffee shops, airports, Uber cars and a host of other places. Hackers could easily plant malware and just wait for some unwitting soul to connect their device, or kill the device altogether once it’s connected.
Medical devices, too, are susceptible to security hacks and breaches. What happens if a hacker wants access to a wireless insulin pump, a defibrillator or a pacemaker? It’s possible.
And that’s just two types of devices. IoT devices also include parking meters, cars, trucks, tires, washers and dryers, thermostats, parking meters, cattle, you name it.
The Risk is Real
This makes it imperative for CSOs and CISOs to implement strong security at the network edge, but to also enforce unyielding security policies regarding connected devices. CSOs must also help shift the company culture.
Users and their devices are at risk, and if they bring those devices into your organization and connect them to your network, you’re at risk too. While instilling best practices helps, IoT security requires a cultural shift and education to help your end users understand the risks and the dangers, while also teaching them how to properly secure their personal IoT devices, lest they be used to attack your corporate network.
Good security is not that difficult. If CSOs implement a few simple things, it gives bad actors more hurdles to leap. More likely, they’ll move on to an easier target once they encounter a hurdle. I’ve used this analogy before, but it works, so I’ll keep using it until people pay attention: cyber security is like being in a zombie marathon. To survive, you don’t have to be the fastest or the best, you just have to outrun the guy next to you.
IoT Security Best Practices
If a CSO can implement a few simple things, such as two-factor authentication, biometrics or basic encryption, their risk is greatly reduced.
Two-factor authentication alone reduces your risk, because it eliminates the ability for a hacker to leverage an IoT device with just a username and password, which are historically easy to find or crack. A second line of defense, like an SMS text or a phone call ups the ante. Remember when there was the threat of credit card theft at gas stations? The gas companies were able to reduce credit card thefts by 94 percent just by making credit card users enter their zip code. Simple, but super effective.
Encryption is also a must. If IoT devices are being used across your network, ensure that data is encrypted. While the device makers themselves should have encryption built in, many don’t, and they rely on end users to enable it. Enforcing strong encryption rules is imperative, especially considering the amount of data that’s IoT devices transmit over wireless networks.
Organizations can also try honeypotting, or using a decoy to lure potential attackers. Honeypotting is something every CSO should implement. The last time I used a honeypot with basic system controls it had roughly 186,000 connections in less than 12 hours. Within the first five minutes, it had 5,000 hits.
Those solutions mean you’re running faster than the guy next to you, and he’s more likely to get caught and eaten by the zombies.
Don’t wait for the “Maximum Overdrive” moment. IoT security issues exist, and they’re causing real damage. Don’t wait until your business is affected to implement security policies and tools to protect against IoT-borne attacks. Make it a priority now, and survive the rise of the machines.