InfoSec Professionals Predict More IoT Attacks; Utilities and Healthcare Most at Risk

For many security professionals and researchers attending Black Hat 2018 this week in Las Vegas, the Internet of Things (IoT) was a hot topic. From sessions on hacking industrial control systems, pacemakers and cars, to major vulnerabilities in smart city equipment, security for unmanaged devices continues to be a chief concern. These unmanaged devices are the new attack landscape.

Just the week before the Black Hat conference, the FBI issued a public warning about how cybercriminals are attacking IoT devices, and using those devices as proxies or intermediaries to attack other devices on the network where the IoT device resides.  

This is all just the tip of the iceberg. Although it may still seem like early days for IoT, Gartner predicts we’ll see a 20.4 billion IoT devices in use worldwide by 2020. Despite the security concerns, adoption will continue to rise, according to a new Bain & Co study.

To find out what the people in the enterprise security trenches think about the future of IoT security, Armis surveyed 130 IT security professionals attending Black Hat. Here are some key findings:

Nation-States Will Exploit Insecure IoT Devices in the Next 12 Months

One of the most striking results of the survey was that the vast majority of respondents (93 percent) predict that nation-states will target or exploit connected devices in the next year. We have only to look at the impact of the Mirai botnet to see the scale of the problem more than 100,000 compromised devices shut down large parts of the internet. This was a signpost event with the FBI saying that cyber crime was no longer just about desktops. The fact is we have seen a number of Mirai variants since that initial attack.

Nation-states will target or exploit IoT devices within the next year chart

Figure 1: Nation-states will target or exploit IoT devices within the next year

Utilities and Healthcare Most At Risk

In light of recent reports that Russian hackers penetrated critical infrastructure in the United States, Armis asked respondents to weigh in on which industries are most at risk from IoT attacks. Nearly a quarter of respondents (23 percent) said energy and utility companies are at most at risk, followed by 17 percent citing healthcare; and 15 percent each saying financial services. Given how critical these industries are to our individual health and societal survival, it’s a good thing researchers are trying to find and fix security issues and to share their findings with the community at large at forums like Black Hat.

Industries expected to be targeted by IoT attacks

Figure 2: Industries expected to be targeted by IoT attacks

Experts Predict More IoT Attacks, But Unable to Secure Against Them

Gartner predicts that by 2020, more than 25 percent of identified attacks on enterprises will involve IoT. Information security professionals, however, are much more pessimistic. Fifty nine percent of respondents to the survey said they believe that figure is too low.

Chart of professionals responding to Gartner's IoT attack predictions

Figure 3: Gartner predicts that by 2020 more than one-quarter of attacks against enterprises will involve IoT. Most respondents say that number is too low.

Current IoT Security Practices Used But Not Effective

When asked how they are securing unmanaged devices in their workplace, 25 percent of respondents said network segmentation is their top protection approach. Twenty one percent said they use network access control, and the same percent said they use firewalls to protect unmanaged devices. Twenty percent said they use endpoint protection. Moreover, 8 percent of respondents said they don’t allow unmanaged devices on their networks, and 5 percent claimed they don’t have any unmanaged or IoT devices in their environment.

The last two numbers in this question show that a significant number of people don’t fully understand what an “unmanaged device” is. For example, a printer or a switch is an unmanaged device from a security perspective. They can’t accommodate a security agent to block attacks or monitor their behavior. Similarly,  smart TVs, smartwatches, connected headsets, VOIP conference systems or smart displays are also unmanaged devices. Yet, respondents didn’t see them as “unmanaged.” Armis always finds such devices on corporate networks. Sometimes we find that they are already compromised.

Network segmentation is a good practice, but it can easily be defeated. This was the subject of a bulletin by US CERT and our demonstration at the RSA 2018 security conference.

Putting all unmanaged devices behind your firewall is also a best practice, but as we discussed last month, the simple DNS Rebinding exploit allows an attacker to bypass your firewall and attack unmanaged and IoT devices from within your network.

How Do professional protect unmanged devices

Figure 4: Survey respondents mostly rely on traditional security solutions to protect unmanaged devices, like network segmentation, network access controls and firewalls.

Software Vulnerabilities and Lack of Patching are Top Concerns

Asked what the biggest IoT device security problem is, 38 percent of survey respondents said vulnerabilities in the OS or applications; 36 percent said the inability to easily patch connected devices; 17 percent said the fact that IoT devices cannot be protected by traditional cybersecurity solutions; and 9 percent said vulnerabilities in wireless protocols. Many IoT devices are designed for specific uses, and they have embedded operating systems that don’t support security software and patches.

Figure 5: IoT devices contain numerous security risks

It’s clear that security professionals are beginning to realize that risky unmanaged devices are increasingly dotting their environments. But the survey shows they don’t feel as prepared as they should be to address the risk, and they see more attacks on the horizon. It’s a sobering reality, but there are ways to address the problem now. Armis provides technology that helps organizations see all the managed and unmanaged devices on all of their networks, monitor every device to detect compromised behavior, and protect by quarantining devices automatically acting suspiciously or maliciously.

Comments are closed.