It’s no secret that connected IoT devices have inherent cybersecurity risks.
The IoT opens the door for malicious actors to launch attacks and infiltrate thousands or millions of unsecured devices; paralyzes infrastructure and destroys networks through DDoS attacks; and potentially access private or sensitive information. Much of the embedded firmware that runs connected IoT devices is insecure and highly vulnerable, leaving an unknown number of critical systems at risk.
As connected devices proliferate, so do the risks. Consider that the number of IoT-connected devices around the world is expected to reach 25 billion by the end of 2021, according to Gartner. With 127 new IoT devices connecting to the internet every second, according to McKinsey, the potentially exploitable vulnerabilities on these devices are fueling a growing attack surface.
Addressing the security challenges of the IoT requires a two-pronged approach. It should consider attack preparedness both from the point of view of the protected product – by means of secure code running the software – and the firmware on those devices. An IoT security strategy must also have detection and response capabilities to deal with fallout when vulnerabilities are inevitably exploited.
Anticipate device security improvements
As IoT adoption continues to grow, standards, compliance requirements, and secure coding practices surrounding IoT have not kept pace. Recent high-profile software supply chain attacks have highlighted the issue of secure coding, prompting the Biden administration to issue an executive order meeting new federal agency requirements to purchase and deploy software only. secure. This critical change will have an immediate impact on global software development processes and lifecycles, especially considering the broad scope of US federal government procurement. Virtually all device makers and software companies will be directly affected as the administration begins to increase private sector obligations and set new industry security standards.
Specific to IoT, the ordinance directs the federal government to launch pilot programs to educate the public on the security capabilities of IoT devices, and to identify IoT cybersecurity criteria and secure software development practices. for a consumer labeling program. Perhaps this is just the incentive that the private sector needs to adjust its practices to align with these criteria. Historically, it is estimated that less than 30% of IoT device manufacturers notified by Bitdefender with evidence of software vulnerabilities have even responded or acknowledged the flaws, according to Bitdefender. Also, while most manufacturers end up fixing issues, the speed at which they do so is relative.
As administrators and agencies consult with industry and commerce leaders to answer questions about exactly when the order will be implemented in the United States and at what scale various infrastructure and manufacturing organizations will need to to comply, manufacturers can now take certain steps to prepare. They are as follows:
- Make secure coding training mandatory for software developers.
- Solicit and share information on common IoT vulnerabilities across the community.
- Investigate the most common pitfalls by checking out cybersecurity communities.
- Perform code analysis using automated tools, making sure nothing comes out without first being scanned for potential vulnerabilities.
- Use penetration testing teams to find anything missing in the development cycle, but check third-party penetration testing providers; in for money.
Suppose everything is faulty
For buyers of IoT devices, ideally the product you buy meets the standards and requirements, especially once the decree is implemented. But recognize that it is wise to perform your own penetration tests on devices.
In my years of experience, I have never seen a system that cannot be compromised, either in nature or in a controlled environment. Someone will find the vulnerability, so it’s important to take advantage of pen testers to find it where you can first.
Once the IoT devices pass the security approval and are placed in your infrastructure, make sure to monitor using extended detection and response, detection and response of endpoints or other security operations center solutions. That way, in the event of a breach, you’ll have the visibility you need to determine if devices are doing something they shouldn’t be in terms of questionable behavior regarding access, requests, times, and addresses. IP. Additionally, these detection and response capabilities provide a basic readout of device operation, making it easier to detect anomalies while ensuring protection is in place when one of those devices is attacked.
Expect to be compromised
The lifespan of an IoT device in a consumer environment versus an industrial or commercial environment varies widely, from three to five years in a consumer environment and an average useful life of seven to 10 years in an environment. commercial. In reality, only a small fraction of them are smart devices with controlled update mechanisms, so expect all built-in protections to be out of date within two years.
Even with the implementation of standards pending in product development cycles, assume that everything in your environment and everything you are doing to protect it is flawed. There is always someone who knows more than you, so it is important to play out these what-if scenarios. Ask yourself what would happen if these devices were compromised and the impact that would have. And while the temptation is trying to predict how it might happen, it’s more important to focus on if it happens. You will never be able to predict all the how.
Assuming these risks, it’s important to prepare your defenses.
- First, prioritize and separate the devices. Separating devices on the network will minimize any potential damage in the event of an attack and allow you to isolate them quickly. Leveraging endpoint detection and response technologies or working with a service provider that provides endpoint detection and response remains key to identifying and remedying potential threats at the user or user level. ‘apparatus.
- Develop short, medium and long term plans to manage device maintenance. Understand which devices, such as switches and routers, need to be up to date with the latest operating system or software. Know how easy or difficult it is for updates to reach devices, and if there is a vulnerability, how quickly the vendor can fix and distribute an update.
- Identify mitigation measures for supply chain attacks. Consider not only the production line of these devices, but also the environment and ecosystem of that device, especially at the service provider level.
When you assess the security of IoT devices in your organization, preparation is key. By understanding what you can do to ensure secure product protections and take advantage of penetration testing, as well as endpoint and network defense preparedness, you will be better equipped to deal with fallout when threats arise. vulnerabilities are inevitably exploited.
About the Author
Alex “Jay” Balan is a chief security researcher and spokesperson for Bitdefender. His career has focused on information security, innovation and product strategy, areas in which he has accumulated more than 15 years of experience. He drove the vision for Bitdefender’s Unix-based security solutions before launching a project that would advance the company’s R&D department and steer part of the company’s focus on technology and innovation. He now advances security and privacy research and has been actively involved in raising awareness by speaking at several conferences including RSA Conference, DefCon Hacking Conference, Derbycon, Security BSides, Internet Security Conference, Interpol Meetings on cybercrime for heads of units, DefCamp, IMWorld, Future of Media and many others.