Why an IoT endpoint explosion must be securely managed by enterprises
5 September 2018
Vendor View: Etienne Greeff, CTO and co-founder, SecureData, on why safeguarding your endpoint security matters now more than ever.
A lot has changed in IT over the past decade. We’ve seen the rise of cloud platforms, VDI infrastructure, powerful mobile devices and the remote working practices they’ve enabled. We’ve seen organisations begin to harness the power of big data analytics and AI to drive innovation and growth. And we’re experiencing a digital revolution powered by the Internet of Things (IoT). So what does this mean for IT security?
It means there is no longer such a thing as the traditional corporate perimeter. To effectively mitigate risk amid a rapidly evolving threat landscape, IT leaders must focus first on the endpoint — something that comes with its own set of challenges.
Also of interest: Six ways of achieving endpoint security
Cyber ground zero
The endpoint is increasingly the ground zero of major attacks on the enterprise. A report from last year revealed that malware-infected endpoints had increased over the previous 12 months for the majority (53%) of companies. From ransomware and data stealing raids to crypto-mining malware, the endpoint is usually the first port of call for attackers, as it enables them to target your corporate underbelly: employees.
That’s why we’ve seen phishing become the de facto method of spreading malware and harvesting credentials en route to corporate data. It’s present now in 93% of data breaches. Where phishing isn’t favoured, brute force decryption of passwords and automated credential stuffing are used to crack accounts. Then there are the newer forms of fileless malware being used to bypass traditional endpoint filters: these attacks soared 94% in the first half of 2018.
Also of interest: The BYOD juggling act: balancing security, privacy and mobility
An IoT explosion
This makes it more important than ever to focus your cybersecurity resources on improving endpoint protection. But there’s an even bigger risk on the horizon. Some 60% of Black Hat USA attendees interviewed this summer claimed they were more concerned about IoT security than in 2017. And they have good right to be. Gartner estimates there will be 20.4 billion things in use by 2020, with over seven billion in operation in businesses. These could range from IoT devices designed to improve process efficiencies on the factory floor, to smart CCTV cameras and building maintenance systems — even smart home security devices such as door access systems, home security cameras and even baby monitors.
Taken together they represent a huge expansion of the corporate attack surface. Why? Because unfortunately many are still not designed with security in mind. In fact, many IoT manufacturers may not even have vulnerability management or software patching processes in place. Yet these endpoints are always-on, and could be connected to the corporate network. Even worse, many of them may not have been officially sanctioned by the IT department — that smart TV in the boardroom covertly recording all your meetings, for example.
Spyware isn’t the only threat from exposed IoT endpoints. They could be hijacked to provide a stepping stone into the corporate network, or remotely controlled to sabotage industrial processes. They could even be compromised and conscripted into botnets to launch DDoS attacks, crypto-mining, spam campaigns, click fraud, credential stuffing and more. Whilst these may not end up harming the organisation itself, the wider implications are stark. Think about those infamous Mirai botnet attacks of 2016, made possible because devices were secured only with a factory default log-in. They resulted in DDoS attacks which took down some of the web’s biggest sites, including Twitter, Reddit and Netflix.
That’s why the FBI recently issued an IoT security alert, warning that everything from NAS devices to routers and IP cameras are at risk, with those in developed nations “particularly attractive targets because they allow access to many business websites that block traffic from suspicious or foreign IP addresses.”
Also of interest: Is bitcoin the currency of our future?
In effect, when you buy an IoT product for the enterprise without adequate testing and due diligence, you inherit the cybersecurity debt generated by the vendor’s own cost savings and short cuts. Multiply this by the hundreds or thousands of IoT endpoints in the organisation and you have a real problem. This isn’t scare-mongering: 21% of those Black Hat attendees claimed to have found an IoT device that had been compromised or involved in a breach.
So what can IT security leaders do? It’s really important to do your research on new IoT vendors and especially their policy on vulnerability management and disclosure. The good news is that the BSI this year introduced a kitemark for IoT and IIoT devices which includes enterprise and “enhanced security” categories. This should improve baseline security across the board by making it easier for IT buyers to spot the best kit. The National Cyber Security Centre (NCSC) is also doing its bit by providing guidance for developers.
However, the strain on already overstretched IT security teams could still lead to security gaps. The IoT revolution greatly increases the patch workload, while advanced endpoint security features like sandboxing require hands-on expertise to configure and manage effectively. The answer could be managed security services. By outsourcing to a third-party expert you ensure that even a large and dispersed endpoint estate will be kept up-to-date, correctly configured and securely managed at all times.
It’s increasingly the best way to minimise security risk amid an explosion of endpoints, strict new European data protection regulations and board-room demands for digital transformation.