The Internet of Things (IoT) is exploding, emerging in fields and industries that even a year ago would have seemed unlikely. From an MSP perspective, the increased presence of IoT devices means there are numerous new attack surfaces to defend. That, however, in the MSP business is an opportunity.
For thoughts on some of this year’s most pertinent developments in the ever-evolving world of IoT, SmarterMSP caught up with Dr. Ahmed Banafa, a professor at San Jose State University and an expert on cybersecurity and IoT. A summary of the interview is below.
SmarterMSP: What are the biggest security threats that IoT devices pose to small and medium-sized businesses?
The current centralized architecture of IoT is one of the main reasons for the vulnerability of IoT networks. With billions of devices connected and more to be added, IoT is a big target for cyber-attacks, which makes security extremely important.
SmarterMSP: How do we go about securing IoT devices?
The concept of IoT introduces a wide range of new security risks and challenges to IoT devices, platforms and operating systems, communications, and even the systems to which they’re connected. New security technologies will be required to protect IoT devices and platforms from both information attacks and physical tampering, to encrypt their communications, and to address new challenges such as impersonating “things” or denial-of-sleep attacks that drain batteries, to denial-of-service attack (DDoS). But IoT security will be complicated by the fact that many “things” use simple processors and operating systems that may not support sophisticated security approaches. In addition to all that; experienced IoT security specialists are scarce, and security solutions are currently fragmented and often involve multiple vendors.
While any device with connectivity can be risky, sensors, connectivity links, routers, and all operation systems (OS) are all deemed as particularly high risk.
SmarterMSP: What are some of the newest, most recent developments in IoT security?
Blockchain offers new hope for IoT security for several reasons. First, Blockchain is public. Everyone participating in the network of nodes of the Blockchain network can see the blocks and the transactions stored. Despite this heightened visibility, users can still have private keys to control transactions. Second, Blockchain is decentralized, so there is no single authority that can approve the transactions, eliminating Single Point of Failure (SPOF) weakness. Third and most importantly, it’s secure — the database can only be extended and previous records cannot be changed.
In the coming years, manufacturers will recognize the benefits of having Blockchain technology embedded in all devices and compete for labels like “Blockchain Certified.”
SmarterMSP: Do you see the evolving IoT presenting more security threats in the future, or will MSPs and device manufacturers find a way to neutralize threats?
Since 2016, this problem has been rapidly growing. On October 21st, 2016 there was an immense assault on Dyn that involved millions of Internet addresses and malicious software. Across the U.S., servers of businesses like Twitter, Netflix, NYTimes, and PayPal were crippled by a massive distributed denial of service attack.
One source of the traffic for the attacks was devices infected by the Mirai botnet. Preliminary indications suggest that countless Internet of Things (IoT) devices that power everyday technology like closed-circuit cameras and smart-home devices were hijacked by the malware and used against the servers.
For example, in a recent post on Krebs on Security, Brian Krebs explained that “Mirai scours the Web for IoT devices protected by little more than factory-default usernames and passwords, and then enlists the devices in attacks that hurl junk traffic at an online target until it can no longer accommodate legitimate visitors or users.”
What makes this attack so interesting, is that the devices hijacked have been networked to create the Internet of Things. In this case, the offender was likely digital video recorders (DVRs) used to record live TV, DVRs and webcams, like those used around houses for security. As with the Dyn attack, all these devices now moonlight as zombies under control of malicious actors bent on taking down individual websites or even portions of the internet.
SmarterMSP: How do we prevent future attacks like the Mirai botnet?
There are four interrelated things that need to change if we are to have a chance to combat this growing threat.
- We need to change our attitudes about networked technologies. This means not using default/generic passwords, and we should disable all remote (WAN) access to our devices.
- Industry leaders need to make security and resilience in digital spaces a priority. When considering overall strategy, whether for an enterprise or a government, cyber strategy must be a key concern.
- We need to make a serious attempt at prioritizing security in IoT deployments. Security by design or ensuring that security is built into technology from the beginning — for example, security at the chip level — is a step in the right direction.
- Innovators and regulators work together to help align incentives, which are currently behind deploy-first-secure-later approaches, to support security in IoT.
To learn more about this growing threat, check out Dr. Banafa’s new book, “Secure and Smart Internet of Things using Blockchain and Artificial Intelligence” which will be released later on this month.
Photo: dencg / Shutterstock.