The Internet of Everything Insecure
“Security by design is a mandatory prerequisite to securing the IoT macrocosm, the Dyn attack was just a practice run.” – James Scott, Sr. Fellow, Institute for Critical Infrastructure Technology.
Remember the 21st of October 2016? A series of carefully mastered DDoS attacks paralyzed internet services on the East Coast, affecting the businesses of market giants like Amazon, Netflix, PayPal, Starbucks, Verizon, Visa – the actual list is longer, and pretty impressive.
The US Department of Homeland Security launched an investigation and it revealed that the extremely sophisticated attack was a botnet that spread through a large number of Internet of Things-enabled (IoT) devices, including cameras, residential gateways, and baby monitors, which had been infected with the Mirai malware.
Later, a Forbes article reported that the attack was likely the brainchild of ‘ an angry gamer’.
Puns aside, if an angry gamer can bring down some of the biggest companies of the world down in a day, that gives every organization with IoT plans a lot to worry about.
Surviving in a World of IoT Enabled Complexity
History chronicles that the invention of the wheel changed the course of human civilization. The impact of IoT is perceived to be of similar, if not greater, proportions. However, the concept of millions of ‘smart’ interconnected devices raises a security concern of similar magnanimity. IoT will introduce thousands of new threat vectors simply by increasing the number of networked entry points. The security risks increase exponentially, and the attack vector or surface is—in theory—potentially limitless.
In addition, there is a huge variety of different (sometimes obsolete) operating systems, programming languages, and hardware. If you thought that the networks have become complicated after cloud, wait till you see this one!
In a 2017, a study tittle ‘The Internet of Hackable Things’ , researchers at the Technical University of Denmark, Denmark; Orebro University, Sweden; and Innopolis University, Russian Federation found that :
- 80% of devices, along with their cloud and mobile components, did not require a complex password
- 70% of devices, along with their cloud and mobile components, enabled an attacker to identify valid user accounts through enumeration
- 70% of devices used unencrypted network services;
- 6 out of 10 devices that provided user interfaces were vulnerable to a range of weaknesses, such as persistent XSS1 and weak credentials
It can be safely said that IoT opens up the enterprise to an increased risk of falling prey to malicious attacks. Forget about securing individual devices, it would be a herculean task to even have a clear idea of how many of these devices are connecting to your enterprise networks and from what sources. So how does one prepare a defence when they don’t have a clue about where the attack is going to come from?
According to a Forrester study, 77% of respondents admit that increased usage of IoT devices creates significant security challenges and IoT is forcing 76% of surveyed security leaders to re-assess how they secure their enterprise networks.
Why networks, you would ask.
It is obvious that it is practically impossible to secure the plethora of devices individually. Moreover, apart from connecting to your enterprise network, some of these devices connect to the cloud, other third-party devices or systems beyond your firewall. Strengthening your enterprise network, that acts as the underlying carrier for all the data that these devices transmit, is your best possible line of defence.
The Need for a New WAN
Existing legacy WAN architectures are inadept at handling the havoc that IoT can usher into your landscape in terms of complexity, security and manageability. To be able to mitigate the security vulnerabilities that IoT opens up, IT leaders will need a solution that can bring the following changes to the enterprise networks:
- Simplification and Automation, better control and manageability: Existing WAN architectures are already complicated enough and have become an operational nightmare for many IT teams. IoT deployments will add a large number of devices; often deployed in remote locations that use multiple access methods spanning wired and wireless networks to connect to the enterprise. Without simplifying and automating the network, it will be impossible for IT teams to track and monitor the flow of data across the networks, detect possible vulnerable entry points and configure the networks to assign security policies accordingly.
- Network Segmentation: By bunching up or clustering IoT devices, IT teams can minimize the damage in the event of a security breach. These IoT devices and entry points can be isolated from the rest of the company end-points to limit how far a security attack can penetrate within the enterprise architecture. These network overlays can be as granular as possible, and it will be easier to configure and apply policies and access controls over these network clusters.
- Real-time Monitoring and Analytics: What you can’t see, you can’t secure. IT teams need a centralized panel that can provide them real-time, granular and in-depth view into the enterprise network at any given point of time. An advanced analytics tool can leverage data from past breaches and predictive analysis to raise the red flag early on for IT teams about possible security breaches – leaving the teams with some time to form a contingency plan and minimize risk and impact.
- Integrated Security: A third-party NGFW (Next Generation Firewall) hardly serves the purpose because it just adds an additional layer to upgrade, monitor and manage. A network with integrated multi-layer security will reduce complexity and create a closely-knit secure enterprise network architecture.
The correct SD-WAN solution can help organizations get a head start on their IoT security journey. For Example, while there are multiple SD-WAN solutions in the market today, Versa’s SD-WAN is a multi-service, multi-tenant software platform built on cloud principles to deliver scale, segmentation, programmability and automation. It provides advanced networking and security in a single software services platform that software-defines the branch.
Unless, of course, you are willing to open up your enterprise security to someone who forgot to run the latest software update on their IoT enabled toaster!