Thursday 30 July 2015

What is the 'shadow' Internet of Things – and how dangerous is it?

What is the 'shadow' Internet of Things – and how dangerous is it?

Introduction and IoT threat

Corporate IT is all about trying to balance demand for new technology in the workplace with the need for security. BYOD has been a threat to corporate IT networks for years, but the dependence of employees on tablets using the likes of Dropbox – and the general circumventing of IT rules and regs – is just the start.

Internet of Things (IoT) devices are actively penetrating heavily regulated industries such as healthcare, energy infrastructure, government, financial services, and retail, according to a recent report. This is 'shadow' IT. Not only have IT staff got to think about the BYOD craze, but they've also got to consider the plethora of smart devices and other parts of the IoT that are creating multiple insecure access points.

The IoT threat

Don't think you've got many IoT devices on your corporate network? Think again, says Andrew Hay, Director of Security Research at OpenDNS, who authored the 2015 Internet of Things in Enterprise Report.

"Consumer devices such as Dropcam Internet video cameras, Fitbit wearable fitness devices, Western Digital My Cloud storage devices, various connected medical devices, and Samsung smart TVs continuously beacon-out to servers in the US, Asia, and Europe – even when not in use," writes Hay. Even worse, a survey of more than 500 IT and security professionals found that 23% of respondents make no attempt to prevent someone from connecting unauthorised devices to their company's networks.

In practice, the IoT is a free-for-all.

Samsung smart TVs constantly chat to remote servers

What kinds of devices?

IoT in the workplace already has a broad reach. "You are looking at everything from lifts to vending machines to heating control systems and smart utility meters on one side, to the IP-enabled coffee maker in the kitchen, the CCTV cameras in the hallways and car park to the smartwatches on employees' wrists at the other extreme," says Sergio Galindo, general manager, GFI Software.

It's a growing threat, too; IoT in the workplace is on the verge of a surge. "With a full range of smart building technologies and business appliances now IP-enabled and in everyday use to allow for remote monitoring, maintenance and configuration, the Internet of Things is already heavily entrenched in the business world, while the consumer world is still in its infancy," adds Galindo.

The shadow IoT

The more devices you have connected to the internet, the more vulnerable you are. "All devices, such as smart TVs, network attached storage (NAS) devices and wearables such as Fitbit do potentially expose a corporate network," says Dr Kevin Curran, Technical Expert at the IEEE, though he does point out that IoT devices are not equal, and that an infrequently patched Windows XP machine exposed to a network is much more of a threat than a webcam on the same network.

"Each device should be secure by default – it should only perform specific tasks and stop unauthorised activities from being carried out," says Amol Sarwate, Director of Engineering at Qualys. "Unfortunately, many developers don't have this mind-set in place from the start."

Even so, many IoT devices are not treated as potential threats, and IT staff often overlook them. "This can be simple things like not applying patches that are available to fix known problems, or not putting authentication steps in place to verify who has access," says Sarwate. "When these systems are on their own private networks, they can be easily mitigated, but adding internet access leads to immediate problems."

Keeping updated

Smart devices are not as simple to update as they ought to be. "With these devices, it's about making sure they have the latest firmware installed," says Galindo. "If manufacturers issue updates, getting those updates into everything from a smart thermostat to a smart lighting system is both important and time-consuming."

Patch management systems can help automate some of the software updating not covered by the likes of Windows Update, but with most IoT devices, it's going to involve manually looking for updates, downloading and manually applying them.

Cloud threat and policy matters

The cloud threat

Cloud-enabled hard drives are traditionally thought of as local storage devices for backup in homes. "Western Digital cloud-enabled hard drives are now some of the most prevalent IoT endpoints observed," writes Hay. "Having been ushered into highly-regulated enterprise environments, these devices are actively transferring data to insecure cloud servers."

These and other IoT systems have much in common, none of which is welcome on corporate IT networks – they constantly check for system updates, contact alien servers, download updates and other information, and back up device data.

Ditto the smart TV. They get online, they stream movies… and they chat. Although they were designed primarily for the home, all high-end TVs are smart TVs by default, so have found their way into corporate environments. "Our analysis of Samsung smart TVs found this beaconing behaviour to be common," writes Hay.

"While the issue of voice recognition has been widely discussed, our research also shows that these systems regularly beacon out to several external network locations when sitting idle with no user interaction," he adds, also suggesting that smart TVs may be communicating with legacy infrastructure that uses an untrusted security certificate.

"A number of attacks have been shown on smart TVs to date including exploiting a vulnerability in Hybrid Broadcast-Broadband Television (HbbTV)," says Curran. "The HbbTV broadcasts can be hijacked and data from corporate social media accounts stolen."

What not to wear (to work) – the Fitbit

Why worry?

"Everything with an IP address is a potential target, and by deploying a variety of IoT devices in the workplace, you've increased the number of targets for cybercriminals considerably," says Galindo. IoT devices send traffic to malicious network neighbourhoods, gather data or beacon-out even when they're not being used.

The possible result? Hackers, malware writers and criminal gangs after an opportunity to steal data, disrupt a business or government agency can pounce, attacking an unpatched device or using the device's insecure infrastructure to move horizontally into a corporate network.

"Software hacking and port hacking – taking advantage of open ports that cut through the firewall – will be the most likely attack vectors," says Galindo. "Malware attacks will grow as particular devices grow in popularity since malware writers usually won't waste their time on niche devices if they want mass chaos and reach," he adds. "Hijacking of IoT systems is a growing problem, usually as a result of weak passwords and vulnerable Wi-Fi connections."

The domino effect

"If one device becomes 'owned' it can easily spread to the remainder of the cluster," says Curran. "Even if something like a smart stereo or coffee maker has been hacked into, it can be trickier to tell than with a laptop or a smartphone." Without a visual display, smart devices can appear completely innocent, showing no signs of trouble.

The reason is simple; IoT devices are cheaply made, with little thought for end-to-end security. "Many of the embedded devices simply do not have enough computing power to implement all the relevant security layers and functionality necessary," says Curran.

If a specific IoT device is known to have a weakness, it could provide criminals with a way in to a corporate network. "This type of beaconing also presents an additional attack surface for criminals to target if a device-specific exploit is discovered," writes Hay.

Smartwatches could be the next IoT challenge for workplace IT

Shadow IT as a blueprint

Why is BYOD so popular? Mobile working and working from home are not exceptions to the rule; for many employees of large organisations, it's all they do. Don't ban Dropbox, offer a similar cloud backup service that's superior – and safe.

Shadow IT isn't a pain, it's a plan – the devices and services employees are using are a model of what that organisation's IT system needs to offer. It may show a lack of respect or understanding, but it's best viewed as the ultimate customer feedback.

Publicise the policy

It's one thing to have a policy around shadow IT, but another to disseminate it effectively. "An increase of employee-owned IoT devices forces IT to rely more heavily on user behaviour to reduce their impact on company networks," writes Hay, but he stresses that the enforcement of IoT policies is also crucial. "The survey results show that enterprises have made attempts to address the rapid growth of IoT devices on their networks, with almost 75% having set a defined policy – yet only 35% of consumers report being aware of any such policy at their companies."

The Dropcam internet video camera exhibits beaconing behaviour

Get to know the shadow

Making shadow IT less of a threat in the workplace requires some simple steps. "The first step is to create organisational rules and update network security infrastructure so that it can detect, and in some cases control, data transmitted to and from these devices," says Catalin Cosoi, Chief Security Strategist at Bitdefender. "Organisations should embrace a risk-management approach and reinforce the IT infrastructure and systems to restrict data access through firewalls, endpoint security solutions and proper policies, as well as monitor networks 24/7."

Cosoi recommends both that an administrator be alerted if an unidentified device is connecting to the network, and a 'know thy enemy' approach. After all, anyone wanting to restrict or control an IoT device should at least know exactly how it works, what data it stores, and what it's doing with confidential corporate data.

The lesson is clear: welcome smart devices into the workplace – they're coming anyway – but always do so with data security in mind.










http://ift.tt/1ORyGMG

No comments:

Post a Comment