According to experts, the recent distributed denial of service (DDoS) attack that brought down dozens of websites in the US and abroad was the largest of its kind in history, possibly even twice as large as any previous attack.
The reason? Attackers took advantage of the exploding number of unprotected Internet of Things (IoT) devices, using as many as 100,000 “malicious endpoints” – including internet-ready cameras – to overload servers of the company that controls much of the internet’s DNS infrastructure and crash scores of sites including Twitter, CNN, Netflix and many others.
This cyber-attack was the most recent example of IoT devices being used to wreak havoc, but until there are standards and regulations in place to govern IoT and determine who is responsible for securing and monitoring those devices, it won’t be the last. Saying IoT needs to be stopped is like saying we shouldn’t have distributed power across the country. It’s not realistic because the IoT train has already left the station. Similarly, simply shutting down any device that’s not behind a network firewall can be disruptive to a business, to say the least, and it’s a reactionary, painful way to resolve the issue. In some cases – a bank’s data center trading stocks, for example – shutting down that unit could implode the bank.
Any organization concerned about loss of revenue and/or brand credibility should be focused on IoT security, but unfortunately, right now most are relying on security through obscurity: For example, even though the Facilities department of a major financial services company may not understand the complexities and risks of a certain IoT device it needs, it may install the device anyway even when denied to do so by IT, potentially putting the network at risk. There should be a methodology in place as well as a gut check on the part of the staff but right now, facilities departments either don’t know what they don’t know or they don’t have the funding and/or internal relationships to get these projects done. And from a business perspective, IT still gets the lion’s share of budget compared to facilities because IT is seen as more strategic to the business.
Key Steps to Limit Chances of an Attack
It is important to recognize that while there is no 100 percent foolproof method for protecting corporate networks from attacks, there are steps that can be taken to significantly mitigate the risks of them impacting your organization.
The first and most important thing every organization should do is evaluate and assess all of the components on their network as well as those that aren’t. Is your water cooler connected? The coffee maker? Most large enterprises have decent inventories of networked devices but not of non-networked devices, and it’s critical to assess risk and vulnerability of every device in order to know what needs to be protected. Many internal lines of businesses have added connected objects over the last five years – things like building automation systems, cameras, printers and water systems. As an increasing number of these devices are being brought online, enterprises typically lack a complete inventory of all of them.
Once an assessment has been made, it’s back to fundamentals. There needs to be an understanding of where the gaps are. Now that an inventory has been done, organizations can prioritize which internet-connected systems need to be fixed first.
From there, the key is to implement and practice a consistent policy around anything new, anything supported, and anything third-party, and to tweak and optimize that policy on a regular basis. Be sure new devices have basic security built-in that allow firmware updates and patches as they’re made available.
Another important consideration is IoT resources. Should your organization ramp up internal IT hiring and bring people onboard who understand both sides of the IoT equation, the technology piece and the facilities management piece? Does it make sense to train your existing staff? Or does it make most sense to outsource? Being positioned to resolve the myriad IoT issues that exist today and to handle new ones on the horizon, organizations need to have the internal and/or external resources and methodologies to mitigate these issues from a life cycle perspective.
In future posts, I’ll explore other issues around IoT. In the meantime, I look forward to your comments and questions.