Skip to main content

Common sense tips to protect SMBs from IoT threats

(Image credit: Image Credit: Jefferrb / Pixabay)

The Internet of things (IoT) is enabling all kinds of innovation, from smart sensors running factory floors to autonomous heart rate monitors that track and share stats with doctors. But all of these connected things—more than 8 billion and growing—can also be wide open entryways for cyber attackers. Every company that connects to the internet is at risk, but the threats are often greater for small and mid-sized businesses (SMBs), which typically lack the budget, dedicated security staff and processes. Protection is possible, however, if SMBs follow some simple and straightforward guidelines.

For several years, experts have been warning about the use of IoT devices in large-scale cyberattacks. Many of the devices are inexpensive and have few, if any, embedded security mechanisms. They often utilise simple firmware that can’t support antivirus software or receive regular updates. As such, they are particularly susceptible to attacks from botnets, which are networks of infected, private computers surreptitiously used to spread malware.

That’s what happened in October 2016. Internet-enabled cameras were used as launching pads for a massive distributed denial of service (DDoS) attack that took down major websites including Twitter, Netflix, Pinterest and others. Mirai, an open-source malware, was at the core of the cyberattack. Mirai works by locating IoT devices online then, through the use of an internal database of factory-default usernames and passwords, gains access into those devices that haven’t changed the default protections. Once in, Mirai uses the devices to generate junk traffic which can be directed at any target with the intent of overwhelming them and making them inaccessible to legitimate traffic.

So far, the DDoS attack using Mirai stands alone in the sheer scale of its impact. But it’s definitely not the only cyberattack that has, or will, exploit IoT’s vulnerabilities. There are reports that more than 500,000 devices may be compromised in 2017.

According to reports , security firms in the United Kingdom had to fight off about 43,000 cyberattacks in the first quarter of 2017. A large percentage of them—92 per cent—targeted IoT devices ranging from internet-connected CCTV cameras to building control systems. That comes to about 39,000 cyber-attacks per U.K. business targeting IoT systems; an 84 per cent increase over the same period in 2016.

IoT risks

Small and mid-sized businesses may think they’re immune to the risks of IoT because they don’t have any IoT devices in in their operations. But they often overlook the internet-connected printers, locks, thermostats or even vending machines, all of which could be hijacked by a hacker to join a botnet or infiltrate the company’s IT systems. Even innocuous devices like smart watches and fitness trackers can pose threats. And if organisations haven’t yet established firm bring-your-own-device (BYOD) policies and security programs, all of the smart phones, tablets and even laptops employees bring to work are risks.

Just recently, it was reported that an unknown hacker infiltrated smart drawing pads used at an architectural firm to carry out DDoS attacks as part of an IoT botnet. In an even more surprising and relatively obscure cyberattack, a smart fish tank in a North American casino was infiltrated and used to access the casino’s mainframe.

An IoT protection plan

There are several things IT administrators can do to help protect their systems and networks and mitigate the risks of IoT devices.

●     Educate Users

Year after year, studies show that people are the largest security risk for any organisation. Organisations need to take the time to educate and train employees so they can follow best practices for user names and passwords, and understand and abide by BYOD policies. Training programs should be held on a regular basis, and security policies and best practices should be written down and easily accessible for all employees. Don’t forget to include contractors and other temporary workers in the training.

●     Inventory IoT Devices

It’s important to know which devices are connecting to your network at any given time, and to establish a baseline for acceptable behavior. Inventories should be done at set intervals. One simple best practice to follow is if a device does not need internet access, turn it off.

●     Stay Up to Date

Update any firmware and apply any available patches to all eligible devices. Be sure to coordinate patching and update schedules with ongoing inventory processes.

●     Create a Separate Network

IoT devices should be segmented onto their own network. By separating IoT devices—whether they are company-owned or employee-owned—you ensure the corporate network containing sensitive information is secure and any compromised devices are quarantined.

●     Employ an Intelligent Firewall Service

One of the best defenses against IoT device threats is gaining visibility into the network traffic in order to identify normal and unusual behavior. A gateway security solution should be able to identify all the devices connecting to the network so the administrator can control bi-directional traffic, track and trace the network traffic, block spam, viruses and phishing attempts, and also block “phone home” requests made by malware.

●     Establish a Contingency Plan

If you are the victim of any cyberattack, IoT related or not, you’ll need contingency and disaster recovery plans to mitigate the damages. These plans

should include recovery strategies to ensure critical systems, business processes, infrastructure, etc., can be recovered quickly and effectively. Make sure to test contingency plans, document lessons learned and incorporate

them into updates. And be sure to update your contingency plans regularly to reflect the constantly changing threat landscape.

The bottom line: anything that connects to the network is a soft spot that hackers can use to spread malware to any other connected devices or pave a path to gain access to an organisation’s proprietary data. It’s crucial to take precautions, find the weakest links, and build up defences.

Dirk Morris, Chief Product Officer, Untangle
Image Credit: Jefferrb / Pixabay

Dirk Morris
When he’s not summiting El Capitan or off-roading in Baja, Dirk Morris spends his time as the founder and engineering visionary behind the Untangle network gateway platform. Prior to Untangle, Dirk was Chief Architect at Akheron Technologies, where he invented the patent-pending High Bandwidth Transparent Vectoring used in the company’s proxy firewall engine. He has also held positions as lead engineer at VerticalNet and H.L.L.C. Consulting, developing Java-based distributed monitor and intrusion detection systems. Dirk earned a Bachelor’s degree in Computer Science with a minor in Mathematics from Carnegie Mellon University. He worked on survivability simulations at CERT/CC (Computer Emergency Response Team), the University’s renowned, federally funded Center for Internet security.