Security Experts:

The False Binary of IoT and Traditional Cyber Security

There’s a new challenge in cyber defense and it’s coming from everyday objects that increasingly surround us — the Internet of Things (IoT). From coffee machines and fridges to virtual assistants and video cameras, consumers are embracing a new wave of connected devices. But they seldom consider the host of unforeseen vulnerabilities that come with them.

With few regulations to hold manufacturers of connected objects accountable, these internet-enabled devices offer a direct path to often very sensitive data. Meanwhile, security teams are scrambling to cope with a threat landscape that is more complex than ever, as any device lurking on your network could be subject to sophisticated attacks — not just desktops and servers.

Most IoT devices weren’t built with security in mind. They were designed for ease-of-use and a quick time-to-market. That’s part of the appeal — IoT devices are generally cheap, useful, and simple to set up. But convenience comes at a cost. 

Many of these devices do not issue firmware updates or come with patch management. Some use electronics bought from uncertified third-parties, and still others use default usernames and passwords like “admin” or “password” that users can’t change even if they wanted to.

IoT Enterprise ThreatsWe have already seen IoT devices being used en masse by cyber-attackers as an easy route into unprotected networks. In September 2016, Mirai malware scanned the internet to look for vulnerable IoT devices that had default settings. It found millions across the world, which became the unwitting accomplices in a major attack sustained by firm Dyn against its managed DNS infrastructure. 

But criminals find IoT devices attractive in their own right. Some of the most sophisticated cyber-attacks have started with an IoT breach. Not only are such attacks subtle, silent, and stealthy, but typically they are carried out with military precision. Imagine if the video-conferencing unit in your corporate HQ had been infiltrated and highly sensitive information left the building on a daily basis? Or if a biometric scanner had been compromised by a criminal group with the ultimate goal of including their own fingerprints in the database to gain access into your highly-restricted critical infrastructure facility? In fact, both of these attacks were planned out as described but unsupervised machine learning technologies detected and stopped them in their tracks before making front-page news. 

These IoT hacks raise a critical question: Whose job is it to secure the office’s connected thermostat or coffee machine? Should a ventilation system connected to the internet be protected in the same way as a company-issued laptop? And how are these emerging IoT vulnerabilities changing the approach cyber-security?  

The boundaries of what was once considered IT are expanding, and the roles of the security team must adapt to this new reality. Security officers and IT professionals who have historically been responsible for the traditional IT of desktops and servers are now forced to consider IoT as yet another inroad into the networks that they are tasked with defending. 

To address these challenges, enterprises will need to take a more holistic approach to cyber security, uniting IT and security teams with procurement and building management, HR executives, and even senior management. They also need to appreciate that, even with all these people together, it will take more than better human attention to protect our expanding networks. 

The vast majority of security tools rely on outdated models and past experience to determine what should and shouldn’t be monitored. They overlook printers, HVAC, light bulbs, vending machines, and other IoT devices often forgetting that criminals are always going to target an organization’s weakest spot. In the modern threat landscape, every connected device is fair game, and the IoT are often the most attractive targets. The reality is that about 85 percent of networks are infiltrated in some way. Stopping the bad guys at the door is no longer prudent or indeed possible. Instead, security teams need to focus on gaining visibility of every device in the network, not just traditional computers, to protect the networks from within. 

A new class of AI technology, based on machine learning, is becoming indispensable in giving organizations the ability to monitor every device on a network to help spot potential cyber-threats. 

As the IoT continues to grow — up to 13.5 billion devices in 2020 according to Gartner — the accompanying security risks will only become more serious. As the old dividing lines between computers and non-computers dissolve, organizations are forced to reconsider cyber security from a top-down perspective. Cyber security is now everyone’s job. But if technology is permeating all objects, it will also provide the means to protect them. Now more than ever we need to rethink cyber security, and our technology has to keep pace. 

view counter
Justin Fier is the Director for Cyber Intelligence & Analytics at Darktrace, based in Washington D.C. With over 10 years of experience in cyber defense, Fier has supported various elements in the US intelligence community, holding mission-critical security roles with Lockheed Martin, Northrop Grumman Mission Systems and Abraxas. Fier is a highly-skilled technical officer, and a specialist in cyber operations across both offensive and defensive arenas.