New IoT security recommendations surface as targeted cybercrimes surge
By Max BurkhalterJune 12, 2020
As the number of connected enterprise devices grows, security researchers are having to develop new IT governance strategies to keep private networks secured. The rapid adoption of internet of things technologies has introduced vulnerabilities that most end users are unaware of, many of which exist at the device level. To mitigate these emerging threats, companies have started integrating cutting-edge IT management and security tools that do not always fit neatly into their existing frameworks. According to research from the IoT security firm Armis, over 90% of enterprise devices will be managed by nontraditional IT security tools by the year 2021. But before organizations can deploy new defensive solutions, they first need to establish clear policies around IoT usage and enablement that take cybercrime into account.
Hackers are aggressively targeting enterprise IoT
Cybercrime continues to be a pervasive and costly problem facing organizations looking to capitalize on the IoT, especially those that lack in-house cybersecurity teams. When new IoT devices are connected to a network, it takes roughly 5 minutes before they are attacked by external users, according to a Threat Intelligence Report from NETSCOUT. Without a proactive deployment plan, companies may find themselves inundated with targeted malware, DDoS attempts and data breaches. As noted by the network security developer SonicWall, IoT malware attacks surged 215.7% between 2017 and 2018 - the first half of 2019 saw another 55% increase in malicious activity. Every year, IoT cybercrime records are shattered, suggesting this trend is here to stay.
In terms of specifics, the software company Forescout Technologies found that enterprise IoT risks are diverse and in a constant state of flux, as hackers are continuously developing new tools and techniques to infiltrate secure networks. If a malicious actor was able to infect a single endpoint with malware, they could quickly establish a foothold by planting backdoors. Once an IoT device is under their control, cybercriminals can launch automated IoT botnet attacks, infect critical IT systems with ransomware and gain access to sensitive data, increasing the risk of identity theft. To offset these digital threats, security researchers and government agencies are proposing new laws and best practices around IoT that are just starting to pick up speed.
U.S. government releases new IoT security white paper
As part of an ongoing initiative to improve the United States' cybersecurity posture, lawmakers and government officials came together to create the Cyberspace Solarium Commission. In early March, the agency released its first white paper, Lessons from the Pandemic, which explored the parallels between the COVID-19 outbreak and cyberattacks. Among the proposed recommendations, security researchers highlighted the need for a new IoT-focused security law that would standardize a set of best practices around the deployment, integration and management of connected technologies. The CSC also emphasized the need for greater collaboration between federal agencies and the private sector, both for mitigating cybercrime and monitoring the activities of foreign entities.
While the white paper was largely focused on countering "foreign influence and disinformation," the CSC's recommendations are equally applicable to enterprise environments. For example, the researchers noted that the rapid transition to remote work has exposed weaknesses in popular WiFi routers and other IoT devices. To shore up these vulnerable endpoints, the CSC has proposed mandating that all IoT tech have "reasonable security measures as determined by NIST guidelines." Although it's still unclear what these measures may include, it's likely new regulations around IoT usage are on the horizon.
IoT labeling may increase cybersecurity awareness
Another promising IoT security measure comes from researchers at Carnegie Mellon University, who developed a "prototype" labeling process similar to the nutrition tables found on food and beverage products, according to a press release on their Security & Privacy Label website. If implemented, these labels could help inform buyers (both in the consumer and enterprise market) about the type of data specific IoT devices gather, and whether they receive automatic security updates. This initiative is especially important considering that most IoT device manufacturers do not currently provide this sort of detailed product information.
What's more, a vast majority of cheap IoT equipment comes with little or no built-in security, as noted in a recent article from ZDNet. For enterprise customers, these flaws represent critical weaknesses in their network-, application- and device-level cybersecurity frameworks. Of course, insulating a growing number of endpoints from digital exploitation requires cautious planning, proactive change management and the right infrastructural tools to support ongoing improvements. There's no telling how cybercriminals will adapt to these new failsafes, or if government agencies will follow through with their plans for an IoT-focused security law. To stay adaptable, enterprises should start optimizing their systems now and take steps to mitigate hacking attempts during the early stages of IoT deployment.
Luckily, Perle's reliable connectivity tools can give companies focused on digital transformation a considerable advantage during their reoptimization efforts. Our LTE routers and gateways can help minimize the cost of downtime and bring distributed sites online faster without sacrificing security. To learn more, explore our customers' success stories.