Security Experts:

Connect with us

Hi, what are you looking for?



IoT Poses Security Challenge to Enterprise Networks

There are many things in the Internet of Things (IoT); so many that enterprises are often finding themselves challenged to keep up and secure them all.

There are many things in the Internet of Things (IoT); so many that enterprises are often finding themselves challenged to keep up and secure them all.

In a new study from OpenDNS entitled ‘The 2015 Internet of Things in the Enterprise Report’, researchers found that IoT devices are common in highly-regulated industries, even though the infrastructure supporting those devices has its share of cracks in it.

“The traditional approach of designing a strong perimeter and controlling everything inside of that perimeter just isn’t possible anymore,” said Mark Nunnikhoven, senior research scientist on the OpenDNS Security Labs team.

To get a sense of the situation, OpenDNS examined the more than 70 billion Internet requests it resolves and routes daily over a three-month period. These requests come from roughly 50 million active consumer and enterprise users from more than 160 countries.

According to the report, the data showed that the top three verticals penetrated most by IoT devices are education, managed service providers and healthcare. The most surprising finding, said Nunnikhoven, was the degree to which IoT devices have already been deployed in the enterprise.

“Our initial assumption was that we’d see some IoT devices in every vertical, but it surprised us that some highly-regulated industries…were in our top results for the amount of IoT-related traffic on their networks,” he said.

“Networks in these industries should be tightly controlled, given the nature of the data they hold,” he continued. “Our research shows that this isn’t the case and that conclusion is also backed up by the results of the survey we conducted. The survey results show a significant disconnect between the expectations of the IT teams and the realities of their deployments.”

In fact, the survey – which fielded responses from more than 500 IT and security professionals and 500 consumers about IoT device usage in the workplace – found that while 75 percent of the IT pros said they currently have a defined policy for employee-owned IoT and Internet connected devices in place, roughly 65 percent of the consumers were unaware of an IoT policy or believed their companies did not have one.

According to OpenDNS, the principal risks facing IoT devices in the enterprise include: IoT devices introducing new possibilities for remote exploitation of enterprise networks; infrastructure used to enable IoT devices being beyond both the user and IT’s control; and IT’s sometimes casual approach to IoT device management cleaving devices unmanaged and unmonitored. The report also found that some networks hosting IoT data are susceptible to patchable vulnerabilities such as FREAK and Heartbleed.

“I would urge IT and security teams to avoid deeply integrating IoT devices into their authentication strategy, and to be on the watch for unusual spikes in traffic coming from those devices,” said Trey Ford, global security strategist at Rapid7.

“Many companies have a hard enough time keeping track of what systems are on their networks – IoT is only the latest addition to the list of considerations to stack on top,” he said. “I think the big push for NAC (network access control) has lost steam as BYOD (bring-your-own-device) and the consumerization of IT [has] helped change the way we look at other devices on the network. There is a striking difference between BYOD and IoT: the management of code. The personal hardware – privately owned laptops and mobile devices – tends to do a decent job of self-updating. IoT will keep more deprecated code and old school vulnerabilities on the network for a long time to come.”

According to Nunnikhoven, knowing what is running on the network should be the first step for enterprises.

“Some devices might not pose a risk to your organization, while others might be of significant concern,” he said. “For instance, you may not be concerned about your employee’s fitness tracker data, but maybe you do want to be alerted when a cloud-enabled hard drive is added to your network. For IoT vendors, security has to be priority number one. Our research found has found several easily addressable vulnerabilities in the backend infrastructure used by some IoT devices. Users are trusting these vendors with some very personal information. It’s the vendor’s obligation to protect it, and we’ve found evidence that some vendors aren’t taking reasonable steps to do so.”

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.