How to wake the enterprise from IoT security nightmares

The IoT security market will reach a valuation of $36.95 billion by 2021, says data from a Marketsandmarkets.com analyst report. Where the cyber security mayhem grows, so flows the security market money.

In 2017, experts predict that gaping IoT security holes will lead to the destruction of critical infrastructure and increases in competitive intelligence gathering and intellectual property theft. 2017 will see more DDoS attacks of the magnitude that brought down the Dyn Domain Name System service and many high-profile web domains with it.

CSO dives into top security nightmares stemming from the sheer multiplication, vulnerability, capacity, reach, and scale of IoT, delivering solutions and insights from IoT security researchers, academics, and experts.

A top five collection of IoT security nightmares

Nightmare No. 1: 

5 million new IoT devices added daily equals as many and more new security vulnerabilities each day. In 2016, the world connected 5.5 million new things to the internet daily, according to Gartner. The more the IoT devices, the more the security vulnerabilities, given that there are typically multiple security holes per device, and the broader the attack surface, since these connected gadgets are popping up everywhere, says Roberto Tamassia, Ph.D., executive master in cybersecurity at Brown University.

“Factors that contribute to IoT device vulnerabilities include device manufacturers who don’t have extensive cyber security experience, computing power and storage constraints that limit the available security mechanisms, cumbersome software update procedures, and the lack of user awareness of the security threats posed by these devices,” explains Tamassia.

Nightmare No. 2: 

IoT devices are a very attractive and powerful form of ubiquitous, low-hanging fruit for attackers. The growing number of easily hacked IoT consumer products is leading to a greater likelihood, frequency, and severity of IoT security nightmare scenarios including attacks on enterprise data, plants and equipment, and employees as well as consumers.

It is not hard for an attacker to gain control of entire networks starting from the compromise of any one of the many vulnerable consumer IoT devices; the popular NEST thermostat presents one example. In 2015, upon accessing the NEST’s mini USB port, TrapX Security engineers used an ARP spoofing app to spoof the ARP address for the network gateway as part of a man-in-the-middle (MITM) attack, says Moshe Ben-Simon, co-founder, TrapX Security. Hackers use MITM attacks to gain increasing control of systems on either or both ends of the communication, including enterprise networks.

Even if you find the NEST thermostat in the home and not on enterprise property, close to company networks, the massive remote and mobile workforce ensures that criminal hackers’ control of home computer systems ultimately leads to attacks on the corporate systems that employees connect to from home. A NEST hack is only one way that innocent IoT devices can open entire networks and organizations to the high risk of compromise, theft, and perhaps disruption of ongoing operations, says Ben-Simon, former CISO at Dexia-Israel Bank. With control of IoT in the home or the enterprise, hackers can not only steal data but put life, limb, and property at work or away in jeopardy.