March 01, 2019
Responsible IoT: How to keep your office safe from botnet attacks
How many smart devices are connected to your company's network right now? I once tried to figure out the number of Internet of Things devices in my office but lost count somewhere after a hundred. From printers and Wi-Fi routers to smart wearables employees bring with them, IoT is all around. Myriads of invisible sensors and chips embedded everywhere are constantly communicating with each other, transmitting and modifying data, and totally living their own lives. Sounds fantastic!
The bad news is that without proper security measures, each piece of IoT becomes a potential entry point for cyber criminals. By adding multiple IoT units into their manufacturing lines, companies boost productivity, automate a lot of processes and increase profits. However, the more things you connect to the network, the larger the surface is for attacks.
According to the latest survey by BeyondTrust, a world leader in cyber security, in 2019 IoT devices will become key targets for malware attacks. There is nothing sudden or sensational in this conclusion, as the vulnerability still lies in the very core of IOT.
Born to Be Vulnerable
What makes the vast majority of connected gadgets such easy prey for hackers? First and foremost, IoT devices are not built with cyber security in mind. Manufacturers strive to reduce time to market and get ahead of competitors, and that often comes at the expense of defense measures.
Despite security breaches, businesses continue to increase IoT presence in their systems. The number of connected devices is predicted to double between 2017 and 2020. However, back in 2018 only 28 percent of companies planning to increase adoption of IoT considered IoT security to be a priority task.
Carelessness of manufacturers and lack of security awareness among users leave smart gadgets open to hijacking. Compared to computers, they may not seem not powerful enough to do a lot of damage, but there are lots of them, and they can they can communicate with each other to create botnets (networks of infected devices). Criminals use vulnerable gadgets as launching pads for massive attacks on servers, phishing, click frauds, spying, and other types of illegal activity.
The main threats
The latest statistics reveal the largest gaps in IoT security.
- A 29 percent increase in distributed denial-of-service (DDoS) attacks has occurred in the first two quarters of 2018, compared to 2017. The rise in malicious activity has been fueled by IoT botnets.
- 93 percent of detected IoT hacks are brute-force attacks (repetitive attempts to crack a password).
- 496 million smart devices currently used by enterprises are exposed to DNS rebinding. First disclosed in 2007, this technique allows a fraudulent website (or rather a criminal behind it) to take control of your browser and, consequently, the gadgets connected to the local network. The list of the most vulnerable devices includes IP phones, printers, networking equipment, IP cameras, and streaming media players.
One weak point is enough to cause a massive leak of sensitive information, block access to your website, or involve your corporate email in spam attacks. Yet 51 percent of enterprises with more than 1,000 employees still don't know how many devices are connected to their networks. Small-to-medium companies are more vigilant, with only 30 percent unaware of their total number of IoT units.
With IoT attacks becoming more frequent and severe, the possibility of being involved in the next cyber crime is increasing dramatically, putting your company at risk of financial loss, frustrated customers who don't trust you anymore, and a ruined. The question is not whether you'll be attacked, but when and how. By establishing and maintaining high level of cyber security as soon as possible, you'll be able to minimize casualties.
IoT is a huge and complex environment that includes device firmware and software, Internet communications, cloud platforms, and cloud applications. To develop a robust cyber security policy, you'll need to take each part into account. Here are some basic must-do practices to increase the protection of your IoT system:
Change default settings with a strong password and unique username. As a rule, manufacturers set the same default username and password combo across the whole product range. These settings are often posted online, just to help owners with setup. Leaving your devices with the factory settings is a huge favor to hackers as we learned from the massive DDoS attacks in 2016 when the Mirai malware gathered a large botnet army by using 61 default username/password combos. So before connecting to the network, defend a new piece of equipment with a hard-to-crack complex mix of characters and letters.
Update software and firmware. To fix security flaws, IoT devices need to be constantly upgraded and patched. Find out if your connected gadgets update automatically. Otherwise, contact a device manufacturer to get more information about the latest firmware and software improvements. Establish a regular practice for applying new available patches and keeping devices up-to-date.
Reboot smart devices on a regular basis. Most malicious software is uploaded to memory and stored there. After a device reboot, the malware will be removed.
Assess the security capabilities of devices. As mentioned above, many IoT units lack security-by-design and so are not patchable. Before buying new equipment, check whether it has the change password option and updatable security features. If your gadget relies on cloud services (and it most probably does), learn as much as possible about security policy of the IoT platform, its encryption and data protection solutions.
When selecting IoT things, ask for advice from employees responsible for cyber security within your organization. (As hard as it may be to believe, in two of three cases security pros are not involved in the processes of choosing and buying IoT.)
Discover and inventory all the IoT devices connected to company network. "All" is the operative word here. You must catalog everything, including a seemingly harmless coffee machine. The more you know about the IoT environment your business is in, the better your chances of protecting it. Many organizations still perform inventory manually, inspecting room by room (and wasting too much time). Fortunately, there are free tools that automatically identify connected devices and help to catalog them.
Disconnect unauthorized and unused gadgets. It's highly recommended to block unknown devices as soon as they are spotted. Also disconnect every piece that's not in use at the moment and remove old unnecessary devices. In this way, you'll reduce the surface for potential attacks.
Scan your network for malicious activity. By monitoring connected devices and analyzing their behaviors, you can identify whether they work as expected. Any suspicious activity indicates that a gadget could have been hacked. It's also possible the suspected device just needs to be updated or has some vulnerabilities. Anyway, you should disable it and inspect more closely.
Use strong authentication. Similar to devices, your network should be protected by sophisticated passwords. To increase network security, add two-factor authentication, which reinforces a password with a second verification step.
Segment your traffic. By dividing your network into multiple subnets, you can separate the traffic of office staff from that of external users, single out employee devices, and create secluded segments for web servers and databases.
Never think you're not a target
Of course, IoT security is not limited to the measures I've listed above. The problem is far more complex and needs to be solved at all levels, starting from the design phase. Some tech giants, such as Microsoft, Intel, ARM, and Honeywell have already focused on security solutions for IoT and IIoT (Industrial Internet of Things) hardware and environment. However, IoT is developing far more quickly than the technologies capable of keeping devices and their users safe, so in most cases your cyber safety still lies in your hands.
Some companies think they are too small to be of interest to criminals, but in case of DDoS attacks hackers use all available unprotected resources, turning your devices into means for achieving their goals. If you don't want to become an unwilling participant of the next botnet campaign, let's come back to the question I started with: How many smart devices are connected to your company's network right now?
Roman Sachenko is an investigative software engineer at DA-14 Corp with a keen interest in IT security and IoT technologies.