The IoT Public Security Announcement & The Role of Deception Technology in Mitigating IoT Risks
Written by: Carolyn Crandall, Chief Deception Officer and CMO – During the past several years, the Internet of Things (IoT) has become a commonly used term with organizations across all sectors as the number of connected devices continues to grow exponentially. To quantify and further validate the demand for these devices, Gartner forecasts that more than 20 billion internet-connected appliances and machines will be in use by 2020. Today, everything from refrigerators and thermostats to security cameras and doorbells is connected – and as more companies manufacture these Internet-enabled devices, threat actors are finding new ways to take advantage of the vulnerabilities that coincide.
Unconventional attack surfaces, like IoT, create major challenges as they open additional access points for attackers to establish a foothold and exploit corporate networks, often in “under the radar” fashion. To best prepare for the connected world and ensure the most comprehensive and secure IT strategy, security teams and business leaders must first educate themselves on IoT-related vulnerabilities, understand what the government is doing at the regulatory level, and be aware of the existing solutions that can address the gaps in IoT security today.
The Increasing IoT Threat
Last year, I advocated for smart cybersecurity strategies for IoT in transportation and stressed how we were more vulnerable than ever to cyberattacks that could not only compromise critical data but also threaten human safety. This remains more relevant than ever: a new report from Kaspersky Labs reveals that IoT threats continue to soar. In the first half of 2018, researchers discovered there were three times as many malware samples attacking smart devices than in all of 2017, and 10 times the 2016 total. With the huge jump in threats and access to new attack surfaces, compromised devices are increasingly being used to steal personal data and mine cryptocurrencies, alongside DDoS attacks.
Even more so, the FBI issued a PSA in August warning that threat actors are actively searching for vulnerable IoT devices to use as intermediaries for network exploitation. Notably there are also resources like Shodan, a search engine for internet-connected devices, which can be used to point out IoT systems that are vulnerable to attack, to both defenders and attackers. IoT devices are an attractive entry point for attackers due to the anonymity they offer, allowing access to business websites that would normally block suspicious IP addresses. These are just a sample of many proof points that reveal smart devices’ vulnerabilities and underscore the need for comprehensive security measures in today’s expanding, connected world, yet manufacturers still aren’t prioritizing IoT security.
What’s Being Done?
With the number of smart devices set to exceed the world’s population, it’s not difficult to see why the government is beginning to put standards in place. New laws are now dictating how to gather IoT consumer data. However, we had yet to see legislation enacted in the US that primarily focuses on IoT security, until this year. The first IoT security bill in the U.S. was recently approved and signed into law in California last week. The bill, SB-327, will take effect in January 2020 and ultimately require manufacturers to equip connected devices with a “reasonable security feature or features that are appropriate to the nature and function of the device.” While there’s debate around whether the bill is comprehensive enough, it lays a solid foundation for the industry to start thinking about why it needs regulations at the federal level. In the meantime, while awaiting the bill to take effect, business across all sectors should be thinking about what measures they can put into place to protect their end-users from vulnerabilities.
What Can You Do Today?
While the California IoT security bill is a step in the right direction, the language is vague, and there is more that organizations can proactively do to mitigate the risk of an IoT related breach. Deception technology is one of the most effective solutions for detecting in-network threats across all attack surfaces, including difficult to secure IoT devices. Deception has been repeatedly recognized as the most efficient and cost-effective way to detect threats that have bypassed traditional security controls and reduce “dwell time” – the time an attacker spends in a network before being detected.
As Rik Turner, Principal Analyst at Ovum explains, “As the attack surface continues to expand, organizations are increasingly seeking solutions that provide early detection and visibility for specialty environments. Because of its efficacy, deception technology is now entering the mainstream and will soon be in the armory of most businesses. Attivo, in particular, provides highly authentic deception across an organization’s network, including difficult-to-secure environments such as IoT, network, and telephony infrastructure.”
With the complexity and current lack of regulation around IoT device security, Attivo has prioritized staying ahead of sophisticated attackers, regardless of their attack vector, to provide the industry’s most comprehensive solution for early and accurate detection of in-network threats and attack remediation. The harsh reality is that security compromises are inevitable and unless there is an increased focus in early in-network threat detection, breaches will likely continue to increase in scope and severity in our connected world. To actively detect, isolate, and defend against network attacks, organizations must commit to designing and implementing the most comprehensive security strategy possible by implementing both perimeter and in-network measures, such as deception for a comprehensive Active Defense approach.