NTT Security has warned that IoT devices continue to increase security risks for both business and consumers. The warning comes in its latest Global Threat Intelligence Center (GTIC) report. It also explicitly calls out Chinese manufacturer Xiongmai saying: “Xiongmai has a history of producing IoT devices with little-to-no security, and Xiongmai devices have been associated with Mirai before, all the way back to 2016 when Mirai first appeared.”
IoT is not the only area that is causing concern. Aaron Perkins, Lead Analyst warned that Iran is expected to increase its cyber espionage saying: “Iran will quickly join the ranks of China and Russia as the ‘most capable and active cyber actors tied to economic espionage.’ What this means for you and your organization is that the threat of having your data stolen, your systems destroyed, or your network compromised increases even more.”
Why the threat from IoT isn’t going away
When people talk about IoT in terms of lightbulbs, door bells and security cameras, they are often focused on consumer. That is changing. Businesses are looking to reduce costs in the enterprise. They have already been through several changes in the way they light buildings, moving from incandescent and fluorescent to energy saving bulbs and timers.
Smart bulbs offer another option where lighting can be more closely controlled based on where it is needed. Additionally, having a system that does its own failure warning saves time, money and frustration when lights are out for any period of time. But to do this it means that the light bulbs have to be on the network. It creates an entry point for hackers who craft attacks that use smart bulbs to transition into the network.
This is not a new problem and it applies to the majority of IoT that is brought into the enterprise. Fridges, dish washers, smart speakers, security cameras, smart bulbs, TVs and even thermostats are all being connected to the Internet and all are increasingly present in offices.
Perkins adds that: “..just like adding any other device, implementing smart devices into your commercial environment enlarges your digital footprint.” Among the risks that they pose are default configurations with either hard-coded passwords or those which are easy to guess. User accounts are also hard-coded. As many of these devices are not installed by IT, there is a lack of security process to change usernames and passwords.
What should you do about IoT?
It is not possible to block these devices from ending up in offices. In the white goods market, corporate buyers want Internet connectivity as it improves support. Perkins suggests a number of things that companies should do when considering smart devices. It includes:
- Take your time when selecting smart security devices or any IoT device: Understand the configuration of the device before connecting it to your network and consider vulnerability assessment and penetration testing activities on your environment both before and after connecting your device(s).
- Change all default username/password configurations on smart devices: If the smart device you are considering introducing into your environment uses hard-coded credentials such as password and login information, NTT Security recommends not connecting the device to your network. Many IoT devices ship with default credentials. Ensure you modify the default credentials to ensure the device remains secure.
- Use the ‘least privilege’ access model: If the device passes the previously mentioned security measures and you decide to connect the device to your network, ensure those personnel granted access to the device and its configuration are the only ones who genuinely need to have access.
- Have an incident response (IR) plan prepared in the event your devices are compromised: At a minimum, your IR plan should include the steps your organization will take to contain the incident, should identify who oversees leading the response effort, and should clearly outline what your mitigation steps will be to reduce the impact of the incident.
NTT Security and WhiteHat – a move towards better IoT security?
Earlier this week, NTT Security announced the acquisition of WhiteHat Security. This gives NTT Security customers access to the WhiteHat cloud-based Application Security Platform. It has an immediate implication for anyone looking to develop or utilise IoT systems inside their organisation.
The WhiteHat platform is built around DevSecOps. This means that security is a starting point not a destination for applications. IoT developers can use it to make sure that their code is robust and secure. It also allows the IT security team to develop tests to make sure that there is no use of fixed usernames and passwords in the software. It provides the opportunity that the software for IoT devices, built using the WhiteHat platform, is enterprise secure.
Enterprise Times: What does this mean
IoT security has been under the spotlight for several years and is not getting any better. A major part of the problem is that people want to pay as little as possible. This is not just a consumer approach. Corporate buyers will often shop around for the cheapest deal ignoring the fact that cheap does not mean stable or trustworthy. There is now a need for trustworthy to become part of the buying process.
Security vendors have their place to play in this. Making sure that SIEM systems actively search for IoT devices on networks is a start point. IoT devices have limited capabilities and are repetitive in terms of network traffic. They should be easy to identify.
NTT Security has also teamed up with Orange around 5G, connected cars, healthcare, smart cities and IoT. For customers working on solutions in those spaces and others, this combination of NTT Security, WhiteHat and Orange could be a game changer.
The GTIC report closes saying: “So far in 2019, GTIC researchers have noticed attackers targeting IoT device vulnerabilities in botnet campaigns, internet-wide scanning, and blind hacks. The increase in network-connected devices in both residential and commercial settings continues to broaden the threat landscape. These vulnerable devices, often left out of asset security management plans, are easy targets for threat actors who can find publicly available vulnerabilities and exploit code to target them.”
How exposed are you?