Internet of Things — What it means for enterprise InfoSec

Internet of Things (IoT), the umbrella reference to connected devices, is providing widespread business benefits to the enterprise sector, allowing them to innovate processes and improve client conveniences.

Enterprises rely on IoT (sensors, modules, beacons, and other technology) to identify compliance requirements or monitor equipment performance, improve supply chain processes, and carry out other functions.

According to a report by Business Insider on the future of Internet of Things market, enterprise is expected to be the top investor in this market. In addition, there are 23.3 billion IoT devices estimated to be in use by 2019, with 40 percent – or 9.1 billion – being used in the enterprise sector.

However, the advancement is also placing heavy burden on enterprise shoulders. Organizations now have a multitude of privacy and security challenges to address in order to maintain continuity and reputation. Some CSOs have even started viewing IoT as the acronym for “Introduction of Threats.”

Regardless of the way network segmentation is laid out by an enterprise, there will be touch points intersecting the enterprise network, and these will be highly vulnerable to cyber attacks unless they’re secured from the beginning.

According to Gartner, IoT is expanding the responsibility of enterprise security teams with every new communicating, sensing and identifying device added for new use case. It will reshape half of all global enterprise security awareness programs by 2020 due to changes in security functioning, diversity and environment.

Top InfoSec Threats Presented by IoT

In enterprise circles, big data is constantly moving, and the Internet of Things will keep altering the lines along which it moves. As IoT becomes an integral part of enterprise ecosystem, information security will have to face the following threats:

Data Sprawling

Once integrated into the enterprise infrastructure, IoT technology will cause data to be mass-produced. This creates tremendous strain on enterprise security systems that were not built to protect this avalanche of data volume, and it also affects the way data needs to be queried and the way data analysis occurs

On top of this, information privacy will become heterogeneous and IT will have a difficult time getting enterprise users on the same page as everyone else (the vendor, supplier, etc.) when it comes to information privacy policy. Even a slight variation could open a gateway for adversaries to plant a wide range of threats, including data sabotage and maneuvering.

The holes that exist at the API level could also be exploited and used as a backbone to get into enterprise interconnected networks. Cyber criminals can use thingbots and other cyber-crime tools to disrupt and route private information from enterprise servers. A survey pointed out that there may not be enough network capacity to handle data demands that will accompany the explosion of interconnected devices.

Preparations must be made in advance for the inevitable increase in InfoSec threats.

Authentication Compromise

The framework for authentication depends on the intersection of devices, network, and users. Authentication plays a critical role in secure IoT management systems and it’s used for onboarding users and devices, orchestrating processes and automation, and applying automation to requested use cases. The threat is that access control of devices may lack OEM supplied unique IDs, which could lead to spoofing, impersonation and exploitation of data through rogue authentication.

In addition, traditional authentication architecture may treat IoT user requests in the same way as they treat other authentication requests, which means attack on one form of authentication can become the gateway to exploit IoT-processed data. Authentication protocols in IoT vary than traditional authentication protocols. The former has:

  • EAP (Extensible Authentication Protocol)

  • PANA (Protocol for Carrying Authentication for Network Access) – the network-layer transport for EAP.

The identity of the host may not always be available in IoT protocol cases, which makes authentication vulnerable. IP-enabled configuration errors would also be a menace.As a result, IoT authentication is a tremendous blind spot for enterprises.