Ransomware and the Internet of Things

2016 has been named the “Year of Ransomware” by IT security analysts. And businesses in Singapore have not been spared either. There were 17 reported cases in the early months of last year, up from just two cases in 2015 according to Singapore’s Cyber Security Agency (CSA).

What happens when ransomware attacks converge with the Internet of Things (IoT)?

From consumer devices to school and healthcare systems, as devices surrounding us get more connected, we are more vulnerable to attacks at the same time. In October last year, broadband services of Starhub, one of Singapore’s major telco  suffered two distributed denial of service (DDoS) attacks in two days. The culprit for the illegitimate spike in web traffic turned out to be web-connected devices that were bought by their subscribers.

According to Frost & Sullivan, the IoT is on track to hit US$79.3 billion in Asia Pacific by 2020. With an infrastructure and growth rate of this extent, we can only imagine the catastrophic effects of an IoT ransomware attack.

Most businesses can trust their IT professionals to give them the best security possible with the resources available. The problem is that there are multiple challenges to IoT security:

  • Multiple vendors and device types bring multiple management points and various security baselines
  • The Internet of Things is similar to BYOD and remains uncontrolled in many companies
  • Criminals often have more resources than the IT staff of an SMB or K12 organization
  • Security for IoT devices is often thought of after deployment
  • Many device passwords are never changed, and some are hard-coded and cannot be changed
  • There is no simple way to apply patches to all devices

With all of that and more in the mix, how can companies mitigate the risk?

The first thing should be to establish controls on the company network. Who can add a device to the network? The person in charge of the environmental controls and smart thermostats doesn’t have to be the person who is securing them. Assign the responsibility to someone who is capable of evaluating the security of the devices as well as how those devices will impact the network.

Create and follow minimum security standards. Disable the default credentials. Create a new user for the device administrator. Close unused ports and disable unused services.

Take advantage of the security features on the devices. For example, Nest just added optional two-factor authentication to its products. It may be a nuisance to take the extra couple of steps to log into a camera or a thermostat, but it’s worth it to secure these devices.

Organize the management of these devices as much as possible:

  • Inventory the network, document the approved devices, remove the devices that are not necessary although approved
  • Set up the management of remaining devices in a single ‘pane of glass’ if possible
  • Schedule recurring update checks on all of the devices and install updates as needed
  • Document and keep copies of any custom configurations of your devices

Secure the devices with a perimeter firewall, just like you would any endpoint on your network. Look into additional network security specifically for these smart devices, if necessary. Barracuda offers a family of NextGen Firewalls that can protect a single office or a central office with multiple branch offices and IoT endpoints. The Barracuda NextGen Firewalls F-Series is a family of hardware, virtual, and cloud-based appliances designed to secure intelligent perimeters and dispersed network infrastructures. The F-Series cloud-ready firewalls offer a suite of powerful and robust features, including the capability to secure machine-to-machine connectivity and the Internet of Things.

Maintaining reliable backups is key to recovering data from a ransomware attack. Even if you do not have data stored on your devices, you will experience downtime and probably some frustration if you have to reset all of your devices from memory. Your documentation and organization will be very helpful if your devices are hijacked.

Anshuman Singh is the senior director Product Management at Barracuda Networks.