More than a year ago, an eye-opening RAND study on cybersecurity comprehensively explored just how vulnerable the Internet of Things (IoT) is and was going to be.Afterthought-style patch-on-patch security, as well as significant vulnerability risks involved with slapping internet connectivity on previously non-connected objects, were among the startling findings and predictions in that report.
Since then, questions have arisen as to just how one should approach the security needs of the soon-to-be billions of networked, smart, cheap sensors expanding around the globe like popcorn.
There is a “need for IoT security,” affirms the Cloud Security Alliance (CSA) in its 80-page guidance released today.
No one doubts anymore that internet of things (IoT) devices pose a huge security threat, as a recent massive IoT-fueled DDoS attack made clear. But what many enterprises have yet to wake up to is that major structural changes are needed, involving IT and C-level executives above IT. IoT is a new and different kind of threat that can’t be effectively battled in an old-fashioned way.From an enterprise’s perspective, there are three sides to the IoT threat: 1) being attacked by an IoT army from around the world; 2) allowing enterprise-owned IoT devices to participate in such an attack against others; and 3) allowing your IoT devices to attack your own company. Making structural changes to your business will do nothing to help you defend against the first scenario, but it could make a profound difference in blocking attack scenarios two and three.
Overly optimistic market predictions have led to high expectations for the Internet of Things (IoT), but those forecasts are becoming more modest as adoption of the IoT proves to be slower than projected. Dr. Shipeng Li, CTO of IngDan, weighs in on the next steps in overcoming issues with usability and usefulness and spurring adoption of the IoT.
The botnet, which is powered by the malware known as Mirai, is in part responsible for the attack that intermittently knocked some popular websites offline, according to Level 3 Communications, one of the world’s largest internet backbone providers, and security firm Flashpoint.
“We are seeing attacks coming from a number of different locations. We’re seeing attacks coming from an Internet of Things botnet that we identified called Mirai, also involved in this attack,” Dale Drew, chief security officer at Level 3 Communications, said on a livestream on Friday afternoon.
Now C-level executives who aren’t sure what to do about it can consult a security framework published by the Industrial Internet Consortium, a group of over 240 vendors and associations including Schneider Electric, General Electric, Fujitsu, Intel, Kaspersky, Cisco Systems, Symantec, Microsoft and SAP. The framework emphasizes the importance of five industrial IoT characteristics – safety, reliability, resilience, security and privacy, as well as defines risk, assessments, threats, metrics and performance indicators to help business managers protect their organizations.
IThe Internet of Things, or IoT, is one of the buzziest terms at present. Many developing technologies are part of this space. The IoT is a network of physical objects (the “things”) embedded with electronics, software, sensors and network connectivity. These elements enable objects to collect and exchange data without a need for human interaction. Each of these technologies relies on the IoT in a different way, providing a competitive advantage or differentiator.
Speaking in the aftermath of the large DDoS against security journalist Brian Krebs, Ellis elaborated a little on the makeup of the botnet which took down Krebs’ website, saying it was mostly made up of hacked Internet of Things devices.
“We’ve noticed a strong overlap between the attack … and one of the botnets that we have been working at in modelling,” Ellis told El Reg, as he named the Kaiten malware as one of the vectors involved in the Krebs attack.
Hang around the Web long enough and you’ll see more than your share of cartoons mocking the Internet of Things. (I refer, of course, to the collection of uniquely identifiable devices that are connected to the Internet and are capable of transmitting and receiving data over that connection.) “We have to go out for dinner,” runs one typical caption. “The refrigerator isn’t speaking to the stove.” It’s easy to poke fun at gadgets such as video-enabled toothbrushes and smart tampons, but don’t let these facepalm-worthy devices distract you from the serious side of IoT. Market research firm Gartner predicts that over 6 billion IoT nodes will be connected this year, while a report from DHL Trend Research and Cisco Consulting Services puts the number at 15 billion. That’s a lot of “things,” and the only trend everyone can agree on is that these numbers are going to get bigger. The good news for language watchers is that as the IoT grows, so does the lingo surrounding it. A full glossary of IoT-related terms would fill a year’s worth of columns, so I’ll just spend the rest of this column looking at a few noteworthy coinages.
Over the last few weeks, unknown hackers have launched some of the largest cyberattacks the internet has ever seen. These attacks weren’t notable just by their unprecedented size and power, but also because they were powered by a large zombie army of hacked cameras and other devices that fit into the category of Internet of Things, or IoT.
On Friday, the hacker who claims to have created the malware that was powering this massive “Botnet Of Things” published its source code, which appears to be legitimate.
The Mirai malware is a DDoS Trojan and targets Linux systems and, in particular, IoT devices. A botnet formed using the malware was used to blast junk traffic at the website of security researcher Brian Krebs last month in one of the largest such attacks ever recorded.
The powerful zombie network that spawned a 620Gbps DDoS was created by relying on factory default or hard-coded usernames and passwords to compromise embedded devices. The availability of the Mirai source code makes it much easier for other hackers to take advantage of insecure routers, IP cameras, digital video recorders and other IoT devices to launch similar attacks.