Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Security Infrastructure

The False Binary of IoT and Traditional Cyber Security

There’s a new challenge in cyber defense and it’s coming from everyday objects that increasingly surround us — the Internet of Things (IoT). From coffee machines and fridges to virtual assistants and video cameras, consumers are embracing a new wave of connected devices. But they seldom consider the host of unforeseen vulnerabilities that come with them.

There’s a new challenge in cyber defense and it’s coming from everyday objects that increasingly surround us — the Internet of Things (IoT). From coffee machines and fridges to virtual assistants and video cameras, consumers are embracing a new wave of connected devices. But they seldom consider the host of unforeseen vulnerabilities that come with them.

With few regulations to hold manufacturers of connected objects accountable, these internet-enabled devices offer a direct path to often very sensitive data. Meanwhile, security teams are scrambling to cope with a threat landscape that is more complex than ever, as any device lurking on your network could be subject to sophisticated attacks — not just desktops and servers.

Most IoT devices weren’t built with security in mind. They were designed for ease-of-use and a quick time-to-market. That’s part of the appeal — IoT devices are generally cheap, useful, and simple to set up. But convenience comes at a cost. 

Many of these devices do not issue firmware updates or come with patch management. Some use electronics bought from uncertified third-parties, and still others use default usernames and passwords like “admin” or “password” that users can’t change even if they wanted to.

IoT Enterprise ThreatsWe have already seen IoT devices being used en masse by cyber-attackers as an easy route into unprotected networks. In September 2016, Mirai malware scanned the internet to look for vulnerable IoT devices that had default settings. It found millions across the world, which became the unwitting accomplices in a major attack sustained by firm Dyn against its managed DNS infrastructure. 

But criminals find IoT devices attractive in their own right. Some of the most sophisticated cyber-attacks have started with an IoT breach. Not only are such attacks subtle, silent, and stealthy, but typically they are carried out with military precision. Imagine if the video-conferencing unit in your corporate HQ had been infiltrated and highly sensitive information left the building on a daily basis? Or if a biometric scanner had been compromised by a criminal group with the ultimate goal of including their own fingerprints in the database to gain access into your highly-restricted critical infrastructure facility? In fact, both of these attacks were planned out as described but unsupervised machine learning technologies detected and stopped them in their tracks before making front-page news. 

These IoT hacks raise a critical question: Whose job is it to secure the office’s connected thermostat or coffee machine? Should a ventilation system connected to the internet be protected in the same way as a company-issued laptop? And how are these emerging IoT vulnerabilities changing the approach cyber-security?  

The boundaries of what was once considered IT are expanding, and the roles of the security team must adapt to this new reality. Security officers and IT professionals who have historically been responsible for the traditional IT of desktops and servers are now forced to consider IoT as yet another inroad into the networks that they are tasked with defending. 

Advertisement. Scroll to continue reading.

To address these challenges, enterprises will need to take a more holistic approach to cyber security, uniting IT and security teams with procurement and building management, HR executives, and even senior management. They also need to appreciate that, even with all these people together, it will take more than better human attention to protect our expanding networks. 

The vast majority of security tools rely on outdated models and past experience to determine what should and shouldn’t be monitored. They overlook printers, HVAC, light bulbs, vending machines, and other IoT devices often forgetting that criminals are always going to target an organization’s weakest spot. In the modern threat landscape, every connected device is fair game, and the IoT are often the most attractive targets. The reality is that about 85 percent of networks are infiltrated in some way. Stopping the bad guys at the door is no longer prudent or indeed possible. Instead, security teams need to focus on gaining visibility of every device in the network, not just traditional computers, to protect the networks from within. 

A new class of AI technology, based on machine learning, is becoming indispensable in giving organizations the ability to monitor every device on a network to help spot potential cyber-threats. 

As the IoT continues to grow — up to 13.5 billion devices in 2020 according to Gartner — the accompanying security risks will only become more serious. As the old dividing lines between computers and non-computers dissolve, organizations are forced to reconsider cyber security from a top-down perspective. Cyber security is now everyone’s job. But if technology is permeating all objects, it will also provide the means to protect them. Now more than ever we need to rethink cyber security, and our technology has to keep pace. 

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.

Register

Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.

Register

Expert Insights

Related Content

Management & Strategy

Hundreds of companies are showcasing their products and services this week at the 2023 edition of the RSA Conference in San Francisco.

Security Infrastructure

Comcast jumps into the enterprise cybersecurity business, betting that its internal security tools and inventions can find traction in an expanding marketplace.

Security Infrastructure

XDR's fully loaded value to threat detection, investigation and response will only be realized when it is viewed as an architecture

Funding/M&A

Identity and access governance vendor Saviynt has closed a $205 million financing round.

Cloud Security

The term ‘zero trust’ is now used so much and so widely that it has almost lost its meaning.

ICS/OT

Security orchestration, automation and response (SOAR) provider Swimlane on Monday announced the launch of a security automation solution ecosystem for operational technology (OT) environments.

Identity & Access

The National Security Agency (NSA) has published a series of recommendations on how to properly configure IP Security (IPsec) Virtual Private Networks (VPNs).