According to Dark Reading, a new Ponemon Institute report, The Internet of Things (IoT): A New Era of Third Party Risk, states that a majority of companies rely on legacy technologies such as network firewalls and intrusion prevention systems (IPS) to ward off cyber threats such as malware, ransomware and distributed denial of service (DDoS) attacks.
The Overwhelming IoT Security Issue
Apparently, their legacy technologies still do not make them feel secure, the article states that an overwhelming majority (94%) of those surveyed believe that in the next two years unsecured IoT devices and IoT applications will likely lead to a catastrophic event; data loss or theft (78%); DDoS attack (76%); and a cyberattack (76%).
The report, which is based on a survey of risk security professionals, suggests that “companies need to track third-party IoT devices and IoT software connecting to their network and provide a way to centrally monitor their activities.” The survey found that only 48% tracked their IoT devices in the workplace.
IoT devices are often hacked for two reasons:
- Manufacturers sometimes neglect proper security architecture for their IoT products.
- End-users don’t change the default user passwords on their IoT devices.
Who's responsible for IoT Security?
Like many other IT experts, we at Corero strongly believe that manufacturers should build better security into the devices, and end-users, whether they are consumers or enterprises, should update the password on each device from the manufacturer’s default setting.
This Ponemon research is important because unsecure IoT devices are the cause of many IT security problems, and good governance would be helpful for all. An infected device might not be used against the company that owns it, but it could be used as part of a botnet that affects another company halfway around the world.
In enterprises, the stakes are even higher. As the Ponemon study suggests, it is important for enterprises to go further, and manage/monitor their IoT devices. Realistically, hackers have plenty of IoT deviced to recruit. Considering the billions of IoT devices worldwide, there are likely thousands that can't be patched to the latest security standards, and thousands that won’t be properly secured by their owners.
Rise in IoT-driven DDoS Attacks
At Corero we have long-anticipated the parallel growth of IoT devices and DDoS attacks; indeed, the largest DDoS attacks ever recorded, such as the now-infamous 1.2Terabit per second DDoS attack on domain name service provider Dyn in October 2016, were fueled by un-secured IoT devices that were harnessed by the Mirai botnet code to form a botnet “zombie army.” We can safely predict that even larger attacks—in the multi-terabit scale—will soon become more common because the number of IoT devices is growing exponentially worldwide.
Even though a company may practice good IoT hygiene, they cannot protect their network from DDoS attacks. It’s essential to improve the company network’s defenses; neither a firewall nor an IPS is sufficient; both can be taken down easily by a small DDoS attack. No one can control the security of IoT devices that they don’t own, but you can control your enterprise by implementing real-time, automated DDoS protection.
For more information, contact us.