Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

IoT Poses Security Challenge to Enterprise Networks

There are many things in the Internet of Things (IoT); so many that enterprises are often finding themselves challenged to keep up and secure them all.

There are many things in the Internet of Things (IoT); so many that enterprises are often finding themselves challenged to keep up and secure them all.

In a new study from OpenDNS entitled ‘The 2015 Internet of Things in the Enterprise Report’, researchers found that IoT devices are common in highly-regulated industries, even though the infrastructure supporting those devices has its share of cracks in it.

“The traditional approach of designing a strong perimeter and controlling everything inside of that perimeter just isn’t possible anymore,” said Mark Nunnikhoven, senior research scientist on the OpenDNS Security Labs team.

To get a sense of the situation, OpenDNS examined the more than 70 billion Internet requests it resolves and routes daily over a three-month period. These requests come from roughly 50 million active consumer and enterprise users from more than 160 countries.

According to the report, the data showed that the top three verticals penetrated most by IoT devices are education, managed service providers and healthcare. The most surprising finding, said Nunnikhoven, was the degree to which IoT devices have already been deployed in the enterprise.

“Our initial assumption was that we’d see some IoT devices in every vertical, but it surprised us that some highly-regulated industries…were in our top results for the amount of IoT-related traffic on their networks,” he said.

“Networks in these industries should be tightly controlled, given the nature of the data they hold,” he continued. “Our research shows that this isn’t the case and that conclusion is also backed up by the results of the survey we conducted. The survey results show a significant disconnect between the expectations of the IT teams and the realities of their deployments.”

In fact, the survey – which fielded responses from more than 500 IT and security professionals and 500 consumers about IoT device usage in the workplace – found that while 75 percent of the IT pros said they currently have a defined policy for employee-owned IoT and Internet connected devices in place, roughly 65 percent of the consumers were unaware of an IoT policy or believed their companies did not have one.

Advertisement. Scroll to continue reading.

According to OpenDNS, the principal risks facing IoT devices in the enterprise include: IoT devices introducing new possibilities for remote exploitation of enterprise networks; infrastructure used to enable IoT devices being beyond both the user and IT’s control; and IT’s sometimes casual approach to IoT device management cleaving devices unmanaged and unmonitored. The report also found that some networks hosting IoT data are susceptible to patchable vulnerabilities such as FREAK and Heartbleed.

“I would urge IT and security teams to avoid deeply integrating IoT devices into their authentication strategy, and to be on the watch for unusual spikes in traffic coming from those devices,” said Trey Ford, global security strategist at Rapid7.

“Many companies have a hard enough time keeping track of what systems are on their networks – IoT is only the latest addition to the list of considerations to stack on top,” he said. “I think the big push for NAC (network access control) has lost steam as BYOD (bring-your-own-device) and the consumerization of IT [has] helped change the way we look at other devices on the network. There is a striking difference between BYOD and IoT: the management of code. The personal hardware – privately owned laptops and mobile devices – tends to do a decent job of self-updating. IoT will keep more deprecated code and old school vulnerabilities on the network for a long time to come.”

According to Nunnikhoven, knowing what is running on the network should be the first step for enterprises.

“Some devices might not pose a risk to your organization, while others might be of significant concern,” he said. “For instance, you may not be concerned about your employee’s fitness tracker data, but maybe you do want to be alerted when a cloud-enabled hard drive is added to your network. For IoT vendors, security has to be priority number one. Our research found has found several easily addressable vulnerabilities in the backend infrastructure used by some IoT devices. Users are trusting these vendors with some very personal information. It’s the vendor’s obligation to protect it, and we’ve found evidence that some vendors aren’t taking reasonable steps to do so.”

Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.