Internet of Things (IoT) Devices + Third-Party Cyber Risk Management

by Brianna Groves

Internet of Things, better known as IoT, is a multi-billion dollar industry selling efficiency and convenience to its customers. These devices can be described as everyday objects that have the capability for internet connectivity and interaction with other devices connected to the internet. To date, there are roughly 8 billion internet connected things across the globe, and this number is expected to grow to approximately 25 to 30 billion in the year 2020.

The phrase things is a new trending buzz word, but what are those “things” we talk about in the context of IoT? Well, anything from our mobile phones to smart watches, cameras, refrigerators, smoke alarms, baby monitors, printers, speakers, coffee machines and security cameras are all types of devices that can or may have some sort of connection to the internet and can be tracked and managed remotely.

Because IoT devices have the ability to connect to the internet, this introduces new paths for which attackers can leverage as an attack vector. That said, like most other vulnerabilities, efforts to mitigate the risks in this ecosystem are lagging.

Currently, there are some considerable disconnects in the realm of IoT that justifiably put many IT and security professionals on spook. The threats that exist with these devices stem from a few weak areas; a lack of firmware security in IoT devices, the lack of companies internal management processes, and a lack of due diligence of their third-party’s IoT security practices. Below I’ll talk about these three fundamental problems that fuel the threats within this territory.

IoT devices are not generally built with security in mind

Like the early days of the internet, in order to keep up with the growing demand, companies quickly pushed their products to the production line without sufficiently addressing internet security, which caused various immediate issues and need for quick fixes. It would appear that in many ways, history might be repeating itself with IoT. With little to no security foundation configured into IoT devices, this offers a great opportunity for attackers to manipulate these devices for their interests.

According to a report, “The Internet of Things: a New Era of Third-Party Risk”, conducted by the Ponemon Institute and sponsored by Shared Assessments, “Risks include the ability of criminals to harness IoT devices such as botnets to attack infrastructure and launch points for malware propagation, spam, DDoS attacks and on anonymizing malicious activities.”

A great example of this type of risk is the 2016 Marai attack which was a type of malware that turned networked devices running Linux into remotely controlled “bots” to be used as part of a botnet. The primary targets of this malware were IoT devices with the purpose of later using them to perform various Distributed Denial of Service (DDoS) attacks.

Bringing insecure devices into the workplace, then failing to monitor & update them

Another major issue with IoT management is the lack of responsibility for these devices. Without much accountability to address or manage IoT risks, the means to establish a documented update cycle for these devices is insubstantial. It’s not uncommon to see devices more than three or four years old and in full use in an enterprise network, especially when the manufacturers stop producing a certain product, or patches for older products are no longer offered. What’s more, most organizations are not aware of every insecure IoT device in their environment, or from their third party vendors.

Let’s flip the script and also consider the new idealism behind BYOD and allowing these devices to access privileged company information. Most IoT devices are connected to a mobile device and with companies now allowing mobile devices on their network, it’s possible that attacks can be launched laterally either way. The risks seem even greater when there are no policies around security of an employees personal device. Let’s not forget that mobile phones are indeed IoT to begin with.

Only 29% of all organizations are actively monitoring for third-party IoT risk

This lack of security that is associated with IoT devices presents some scary dangers surrounding third-party IoT devices. According to the Ponemon report, 26% of respondents admit they are unsure if their organizations have been affected by a cyber-attack involving an IoT device. As well, less than half of all organizations say they are actively monitoring for IoT device risks within their workplace, and only 29% of all organizations are actively monitoring for third-party IoT risk.

This substantial gap is unsettling when 94% of respondents believe there is potential for another DDoS attack involving unsecured IoT devices in the next two years, and that this incident would be catastrophic.

Overall, it may be said…

As IoT technology is being increasingly integrated into our routines, you can bet a great percentage of cyber-attacks will be targeting this fast-evolving industry. However, enterprises are finally realizing the risks that IoT devices bring to the workplace, as well as what it means to have devices that are connected to a corporate network by a third party.

Risk management in this area is not fully matured and many third-parties are not yet being properly assessed for this type of risk. It’s important to first be aware of all IoT devices or applications currently implemented within your network; as well as your third parties’. At that point, assigning responsibility to implement policies and assessment reviews around the security of these devices should be treated with high-ranking consideration.