Securing IoT through deception
The momentum of IoT adoption is showing no signs of slowing, and with it comes increasingly material risk for both businesses and households. The quest for innovation has allowed for security to fall behind, and as a result, these devices have infiltrated our lives while creating an environment where attackers can exploit these solutions for anything from ransomware to extensive denial of service attacks, says Carolyn Crandall, chief deception officer at Attivo Networks.
Statistics from Gartner show that the number of connected devices in use will hit 14.2 billion in 2019, and grow to 25 billion by 2021, which means there will be at least 25 billion potential entry points for security breaches.
The UK government took notice and recently launched a consultation on a raft of new IoT security laws and standards. Proposals include mandatory labelling telling consumers how secure a particular connected device is and making it compulsory to include several elements of the “Secure by Design” code of practice. The code offers guidelines about what is considered good practice in IoT security, including monitoring device data for security anomalies, using encryption, and ensuring software is updated. These are all steps in the right direction but should only be used as a baseline and not as a guarantee.
Businesses will need to adopt more sophisticated protection strategies than simply relying on device-based security. Security measures on any device can be worked around, meaning that the attempts to attack an organisation’s network through the IoT can be as varied and numerous as those on more conventional connected devices, such as mobiles, tablets and PCs. In fact, IoT devices can often offer even more opportunities for attackers by simply seeking out and exploiting well known vulnerabilities. They can also go after a large number of targets with the same exploit, increasing their probability of success and potential payout.
Traditional perimeter defences – firewalls, network filtering, etc – are falling short in defending enterprises from sophisticated cyber-attacks using the IoT. The vast number of entry points creates unprecedented levels of complexity in identifying and maintaining the security of these devices, and as we have seen, even the most rigorous perimeter security can eventually be compromised.
These breaches often occur through cyber criminals convincing a network they are someone or something they are not. However, enterprises can beat attackers at their own game by using deception technology as a key weapon in their own defensive arsenal.