There are many things in the Internet of Things (IoT); so many that enterprises are often finding themselves challenged to keep up and secure them all.
In a new study from OpenDNS entitled ‘The 2015 Internet of Things in the Enterprise Report’, researchers found that IoT devices are common in highly-regulated industries, even though the infrastructure supporting those devices has its share of cracks in it.
“The traditional approach of designing a strong perimeter and controlling everything inside of that perimeter just isn’t possible anymore,” said Mark Nunnikhoven, senior research scientist on the OpenDNS Security Labs team.
To get a sense of the situation, OpenDNS examined the more than 70 billion Internet requests it resolves and routes daily over a three-month period. These requests come from roughly 50 million active consumer and enterprise users from more than 160 countries.
According to the report, the data showed that the top three verticals penetrated most by IoT devices are education, managed service providers and healthcare. The most surprising finding, said Nunnikhoven, was the degree to which IoT devices have already been deployed in the enterprise.
“Our initial assumption was that we’d see some IoT devices in every vertical, but it surprised us that some highly-regulated industries…were in our top results for the amount of IoT-related traffic on their networks,” he said.
“Networks in these industries should be tightly controlled, given the nature of the data they hold,” he continued. “Our research shows that this isn’t the case and that conclusion is also backed up by the results of the survey we conducted. The survey results show a significant disconnect between the expectations of the IT teams and the realities of their deployments.”
In fact, the survey – which fielded responses from more than 500 IT and security professionals and 500 consumers about IoT device usage in the workplace – found that while 75 percent of the IT pros said they currently have a defined policy for employee-owned IoT and Internet connected devices in place, roughly 65 percent of the consumers were unaware of an IoT policy or believed their companies did not have one.
According to OpenDNS, the principal risks facing IoT devices in the enterprise include: IoT devices introducing new possibilities for remote exploitation of enterprise networks; infrastructure used to enable IoT devices being beyond both the user and IT’s control; and IT’s sometimes casual approach to IoT device management cleaving devices unmanaged and unmonitored. The report also found that some networks hosting IoT data are susceptible to patchable vulnerabilities such as FREAK and Heartbleed.
“I would urge IT and security teams to avoid deeply integrating IoT devices into their authentication strategy, and to be on the watch for unusual spikes in traffic coming from those devices,” said Trey Ford, global security strategist at Rapid7.
“Many companies have a hard enough time keeping track of what systems are on their networks – IoT is only the latest addition to the list of considerations to stack on top,” he said. “I think the big push for NAC (network access control) has lost steam as BYOD (bring-your-own-device) and the consumerization of IT [has] helped change the way we look at other devices on the network. There is a striking difference between BYOD and IoT: the management of code. The personal hardware – privately owned laptops and mobile devices – tends to do a decent job of self-updating. IoT will keep more deprecated code and old school vulnerabilities on the network for a long time to come.”
According to Nunnikhoven, knowing what is running on the network should be the first step for enterprises.
“Some devices might not pose a risk to your organization, while others might be of significant concern,” he said. “For instance, you may not be concerned about your employee’s fitness tracker data, but maybe you do want to be alerted when a cloud-enabled hard drive is added to your network. For IoT vendors, security has to be priority number one. Our research found has found several easily addressable vulnerabilities in the backend infrastructure used by some IoT devices. Users are trusting these vendors with some very personal information. It’s the vendor’s obligation to protect it, and we’ve found evidence that some vendors aren’t taking reasonable steps to do so.”