The Internet of Things (IoT) is poised to revolutionize how the world works. As more and more “smart” devices begin to communicate with one another, we can expect to see IoT devices lower business costs and shape consumer activity. These changes will continue to accelerate; by 2020, the IoT is expected to expand beyond 50 billion devices.
Not all is rosy with IoT, however. Studies such as those conducted by Veracode and Hewlett-Packard have found security vulnerabilities, sometimes hundreds at a time, in popular IoT devices. Not surprisingly, attackers have, in turn, exploited those flaws to incorporate IoT devices into botnets, launch distributed denial-of-service (DDoS) attacks and bring down companies’ websites.
However, those threats have yet to make a difference to many organizations.
In recent years, organizations have not done enough to prepare for the security risks associated with IoT. Tripwire found in one survey that only 27 percent of C-level executives were “very concerned” about the risks posed by IoT.
That’s in spite of the fact that less than a quarter of IT professionals in another Tripwire study said they were confident in the secure configuration of common IoT devices already on their enterprise networks.
Hoping that organizations had adopted a different mindset more recently, Tripwire decided to conduct a survey at Black Hat USA 2016 of 220 attendees’ IoT readiness. Unfortunately, its results proved just as disheartening.
When asked if their organizations were prepared for the security risks associated with the Internet of Things, only 30 percent of respondents answered “yes.” Just a slightly higher fraction of participants (34 percent) said their organizations accurately tracked the number of IoT devices on their networks.
Tim Erlin, director of IT security and risk strategy for Tripwire, feels these results convey how IoT is a persistent weakness for many organizations:
“The Internet of Things presents a clear weak spot for an increasing number of information security organizations. As an industry, we need to address the security basics with the growing number of IoT devices in corporate networks. By ensuring these devices are securely configured, patched for vulnerabilities, and being monitored consistently, we will go a long way in limiting the risks introduced.”
Surprisingly, many respondents answered other questions in a manner that contradicted industry trends. Less than half (47 percent) said they expect to see the number of IoT devices on their networks increase by at least 30 percent in 2017, for example.
Additionally, while an even greater percentage (78 percent) of participants said they’re concerned about the weaponization of IoT devices in the use of DDoS attacks, only 11 percent said DDoS campaigns were a top concern for their organizations. That’s in spite of research illustrating DDoS attacks’ continued growth in size, sophistication and number.
Dwayne Melancon, vice president of products for Tripwire, believes organizations should be concerned about those trends, especially the weaponization of the Internet of Things:
“It wasn’t so long ago that home computer ‘zombie armies’ were the weapon of choice for a lot of cyber-attacks and denial of service attacks. It seems that security professionals see IoT devices as a sort of ‘zombie appliance army’ that’s worthy of great concern. That makes sense, since many of the current crop of IoT devices were created with low cost as a priority over security, making them easy targets. The large number of easily compromised devices will require a new approach if we are to secure our critical networks. Organizations must respond with low-cost, automated and highly resilient methods to successfully manage the security risk of these devices at scale.”
To read about what role manufacturers have in securing the Internet of Things, please click here.
For more on Tripwire’s survey as well as another study it conducted at Black Hat USA 2016, please click here and here, respectively.