Four Steps To Reduce IoT Risk
In the past two years, hackers have increasingly targeted Internet of Things devices to breach cybersecurity defenses. Because these devices are frequently not patched when software flaws are found, they represent a soft target for attackers. In 2017, 15 percent of all successful attacks exploited one of these device’s beachheads. By 2019, that number increased to 26 percent of all incidents with growth expected to continue, according to a recent analysis performed by Ponemon Institute. At the same time, the number of devices is expected to double by 2023 with the explosion of new products and the increased bandwidth available through 5G Internet connections.
The problem of the increasing number of Internet of Things (IoT)-targeted attacks is not limited to an increase in consumer devices that are considered weak from a security perspective. The IoT devices that reside on corporate networks – and there are many – are among those that are increasingly being exploited.
IoT is a very broad term that implies the use of simple computers, including a host of consumer electronics such as Internet-connected picture frames or smart speakers that perform a limited number of functions. But the term also includes devices that are used for commercial purposes such as building automation systems, like thermostats or escalator controls, and office automation devices such as Internet-connected monitors in conference rooms. All of these “simple” devices have one thing in common: They create new risk surfaces for the network on which they reside.
But why are these devices such easy targets for hackers? Traditional security tools are designed to protect servers and other sophisticated network devices. They extract information such as the servers operating system release version and the configuration state. Controls that drive software patching and configuration management are then built on top of this data.
IoT devices are not capable of responding to queries or providing information about their configurations and software versions. A traditional security system sees an IoT device as an Internet protocol address on the network without supporting data. It is not uncommon for hundreds if not thousands of these devices to show up on an organization’s network. In the case of one top-tier bank, 200,000 IoT devices were visible but not incorporated into many traditional security controls because of the lack of data that could be obtained from them.
On a positive note, the simple nature of these devices can be used to an organization’s advantage when developing its security strategy. A behavioral analysis technique developed for securing factory floor computers is being repurposed to fill in the blanks. Instead of asking the IoT device for the needed security control data, this technique monitors the IoT device’s communications. Critical information is extracted directly from the conversation through deep-packet inspection and from the data partners with whom the device communicates. This passive monitoring technique, coupled with a broader program of repair and segmentation, can be used to bring IoT risk under control.
One plan for minimizing IoT risk, which is modeled after what has been done to secure industrial environments, can be broken down into four steps: find and plug any holes that are open to the Internet; segment weak devices; attract IoT devices to an appropriate segment; and monitor weak devices for signs of takeover.
The first step in minimizing IoT risk is to look at the network as an attacker would view it. Owners should regularly scan the network’s exterior for any systems that are unexpectedly open to the Internet. Accidental mis-configurations and insider attacks will cause weak IoT devices to become visible from the Internet.
Also, legacy building automation systems that were installed in the last 20 years may have been directly connected to the Internet to permit easy access for remote monitoring. These systems can remain in service for decades, accumulating vulnerabilities and escaping security policy upgrades because they are not considered part of the computing infrastructure. External scans can be used to find these holes.
The second step, segmenting the network, exploits the fact that IoT devices have a limited range of functions with a small number of communication partners. A security camera should capture video and route it to video processing/recording devices. That’s all it does. It should not be whispering sweet nothings to the accounting server. If it does, there probably is an infection present.
It is important that organizations group similar devices and those that communicate with each other on common segments. For example, devices responsible for the operation of the HVAC system should be grouped together, and monitors used in conference rooms also might be placed on a common segment. By placing devices that are closely related in function onto the same network segment, it will be possible for the behavioral analysis system to learn the normal pattern of operations more rapidly and will save processing resources.
Sometimes, creating a segment that is composed of communication partners such as all HVAC devices can be difficult. The behavioral analysis system can help with this. Because behavioral analysis uses deep packet inspection to read a device’s traffic, the communication partners can be directly mapped.
Once network segments have been established, organizations need to migrate existing IoT devices to their proper locations. Because the owners of IoT devices are not easily determined through automated processes, a social engineering process can be used to obtain the data needed.
Before starting, cybersecurity staff should work directly with building automation personnel to isolate critical systems that should be excluded from this phase. Disabling communications to the elevators unexpectedly, for instance, will not be appreciated. The behavioral analysis provides a communication partner map that makes it possible to identify all of the partners connected to critical systems. Once these critical systems have been identified and placed onto their respective segments, cybersecurity personnel can begin working on the unwashed masses.
An organization’s staff should then block access to a small number of devices that share common behavior and are likely to belong on a common network segment. This staff will work closely with technical support, as the support team will likely receive the problem calls.
When a call comes in, the service person will request information about the device’s ownership, location and description. This information can be used to fill out the asset database. The identified device can now be moved to its proper segment and communications restored. Access would be blocked to new devices that have not gone through authorization so they could not come onto the network segment.
As a final step, staff would create a series of network segments to be used by consumer electronics. This segment would be open for anybody wishing to connect to it, so employees would not be tempted to hide their devices. There is a place for an employee’s Internet-connected plant monitor, but it is up to the employee to install it. This step would be coupled with an aggressive communications campaign to let employees know where their devices will be welcomed.
The last step of the process is for organizations to monitor for attacks. Behavioral analysis watches the usual behavior of a device during a training period. It builds a model that describes who communicates with the IoT device and how they usually interact with each other. Since IoT devices have a limited range of functionality when they are operating correctly, anomalous behavior is readily identified. Because the IoT devices are concentrated onto specific network segments, the effort required to monitor the lot is much less than if they remained distributed across the network. The time required to find an infection also is reduced accordingly.
As powerful as behavioral analysis is, sexy new tools alone are rarely able to increase security. Instead, comprehensive processes in which the new tool operates will play a significant role.
Behavioral analysis is an excellent tool to use in the fight against IoT attacks. But when it is used as part of a larger strategy to manage data needed for the asset database, it becomes significantly more effective.
Stephen Wood, strategic product manager at Tripwire and board member for the Open Cybersecurity Alliance, uses the insights he has garnered from studying the technology market evolution to design security products for Tripwire.