Inevitably, the IoT build-out is bringing new security issues. A recent Trustwave report says 61% of surveyed companies in the sector have traced a security incident to an IoT device, and 24% have dealt with resultant malware intrusion. They also reported IoT attacks up by 9%. (Source: “IoT Cybersecurity Readiness Report”.)
The main culprits are misconfigured network devices. These open the way to attacks including malware, sabotage, and DDOS.
But while 55% of companies surveyed believe an IoT-related attack will happen during the next two years, only 49% have instituted formal patching policies. This is more than a little worrying, as attacks are already baked in.
* In September 2017, researchers outlined Bluetooth vulnerabilities (BlueBorne) potentially targeting billions of connected devices: everything from smartphones to entire ranges of printers, smart TVs and IoT devices using short-range wireless protocol. Wireless hacks can take full control over IoT devices.
* In October, hackers were spotted on forums sharing code to scan the internet for unprotected IoT devices and dump weak credentials, preparing the ground for massive DDOS hacks.
It’s a jungle out there
One problem is the huge ecosystem of devices, protocols and defences spread around IoT. The Trustwave report states that only10% or respondents are ‘very’ confident they’re protected. (62% are ‘somewhat’ or ‘not’ confident.)
What about businesses that don’t run any IoT devices? Well, they probably soon will. And in the meantime, other people’s IoT can be taken over to launch DDOS attacks into their systems – such as the 2016 Mirai botnet which hijacked 360,000 unprotected IoT devices.
What’s the answer?
For now, companies should plan a patching policy for IoT devices. Where practical, you should keep them on a separate network, being sure they’re separate from critical assets, and also mandate an update policy.
It’s also a good idea to avoid procrastination. The survey showed that only around a third of businesses patched their devices within 24 hours of the fix being available, with half saying it takes them two or more days to patch. That’s a lot of time for the hacking pack to make merry with your IoT.
About the report:
Osterman Research performed the survey for Trustwave. The survey was conducted in November 2017 with 137 panel members.