By Scott Register, VP Security Solutions at Keysight Technologies
We’ve all seen the rush to deploy the new wave of connected devices but the speed at which these devices have been embraced may threaten fundamental security protocols.
We love the convenience that ubiquitous connectivity brings us; our cars can reroute us based on traffic jams, we can adjust our lights or AC without leaving the couch, we can get up-to-the-minute blood glucose readings, and we can precisely monitor energy flow across a smart grid and optimize manufacturing with smart factory floors.
Aided by technologies such as Bluetooth Low Energy, WiFi, and 5G, the pace of Internet of Things (IoT) deployment continues to accelerate. However, in a recent Forrester report, 69% of surveyed respondents estimate that at least half of all devices on their enterprise network or internet-of-things (IoT) are unmanaged, and 26% estimate that unmanaged devices outnumber managed devices on their network by three to one.
Well, as with any new technology, there are going to be drawbacks. Among the most significant: our ability to build and deploy intelligent, connected devices has outpaced our understanding and practices of how to secure them.
We’ve seen large botnets take over farms of IoT devices and shut down large chunks of the Internet, a recent escalation in healthcare organizations hit by ransomware attacks impacting connected medical devices, and privacy breaches impacting everything from baby monitors to smart watches.
Lessons for ‘Connected Device’ Security—Think Like an Attacker
IoT devices really are special. For traditional IT devices, like Linux servers and Windows laptops, we have established best practices for security. It isn’t perfect, but in reality, if we keep the operating system and any endpoint security software up to date, we’ll eliminate the majority of system vulnerabilities. In fact, an analysis earlier in 2022 showed that flaws from 2017 and 2018 were still among the most commonly exploited today; a simple and free OS update would have blocked them.
IoT devices, however, are more often black boxes – we don’t know which version of what operating system they’re running, or which versions of what libraries, and even if we have that information, we can’t force an update; we typically have to wait for a patch from the manufacturer.
There are no standards or real consistency for tracking security flaws across connected devices; the only way we can understand where the problems are is to test them ourselves. Then, armed with a better understanding of how IoT devices are impacting our attack surface, we can deploy targeted mitigation strategies to address the vulnerabilities we’ve discovered.
This is, of course, good information to have and a good strategy to pursue. But how do we know that our defensive tools, the stack of network, cloud, email, and endpoint security tools that we array to keep both our traditional and nontraditional IT devices safe, are working? How do we know if an emerging threat is able to slip through our firewall, or run undetected on an endpoint, or make it through our email gateway to target an unsuspecting phishing victim?
The same principle applies; we really need to test our defensive stacks, on a continuous basis, to make sure they’re optimized and tuned to catch the latest attacks that threat actors are deploying against us. This lets us, finally, go on the offensive and think like an attacker – we can test and probe our networks and devices ourselves, discovering vulnerabilities and attack paths ourselves, rather than waiting for a bad guy to do it.
We can get ahead of hackers by discovering and closing gaps in detection and visibility before they can be used against us.
Scott Register is VP Security Solutions at Keysight Technologies, which offers IOT Security Assessment, Threat Simulator, and Vision Series Network Packet Brokers to help companies stay one step ahead of security threats. He recently spoke at the GoSec22 conference in Montreal on the challenges countering the increasing threats from connected devices.