Scale is the dynamic that defines world-changing technologies. The best example is cloud computing, which revolutionized the way technology is utilized in business by making available vast reserves of compute as a service at scale. Bud Broomhead, CEO, Viakoo, discusses fixing vulnerability remediation for IoT devices that attract cyber threats.
Freeing organizations from the technical and financial demands of building their own capacity has led to an exponential expansion in cloud infrastructure environments, as it comes to filling more and more business functions. While this expansion has offered businesses unprecedented flexibility and power to iterate and expand, it’s also in parallel expanded opportunities for cybercriminals.
As cloud environments grow in size and complexity, vulnerabilities increase at a corresponding rate. They accumulate faster than human teams can patch them, forming a remediation deficit. There are over 170 thousand known vulnerabilities that are tracked by NIST Opens a new window in the national vulnerability database; 58% of them designated either critical or high severity. These can form unforeseen dependencies and compound each other. Fortunately, many of these are against data center technologies and can be remediated using traditional methods like password, patch, and certificate management. However, as many organizations have discovered the hard way, traditional solutions often don’t apply to IoT systems. Roughly half of the known vulnerabilities can be exploited on IoT devices, an area of cybersecurity that already deserves (or requires) more attention from security teams. Cybercriminals, we know, will not neglect IoT even if their target organizations do – it’s becoming their preferred method of breaching an organization.Â
See More: IoT: Changing the Dynamics of Healthcare for Good
Why Are IoT Devices Attractive Targets?
IoT devices are often connected to a network 24/7 and designed with efficiency and automation in mind, and they run with comparatively limited human interaction. They typically have enough memory and compute to launch an attack and often fall outside the scope of traditional IT security teams. Physical devices are managed on-site by departments like facilities, physical security, or manufacturing, which usually means a lack of IT experience to secure those devices even if there is the awareness and desire. Cybercriminals will often target low-hanging fruit – with no dearth of potential targets, those that offer the easiest access tend to be the most attractive. IoT devices, when not secured properly, represent a weak point. Even on a firewalled network, neglected or mismanaged IoT devices can punch through to the corporate network and allow cybercriminals to move laterally.
This dynamic combines with the fact that IoT devices are harder to patch. Many devices remain in operation well after their product development lifecycle has ceased. This is true, especially in manufacturing, where processes to update them are often manual and require a significant degree of human resources to perform at scale. IoT systems may have operating systems with communications protocols distinct from traditional IT solutions, presenting a further roadblock to security teams. A 2020 study by Frank Ebbers of Goethe-Universität Frankfurt am Main Opens a new window revealed that 40% of devices have never had a firmware update, and an additional 10% of operators did not even know what firmware is. Across a wide variety of devices spanning consumer and enterprise tools, all but a few were running firmware more than a year old. On average, the gap between the latest firmware and the version in use was 19 months.Â
So as IoT becomes a larger part of our lives, how do we contend with this alarming dynamic of neglect and exposure?
Bringing Your Remediation Deficit Under Control
Step one is to understand which IoT devices you utilize and their particular vulnerabilities. This might seem basic, but it’s easy for IoT devices to accumulate across different business practices, or over a period of time, in such a way that they’re not tracked particularly well. Several powerful threat assessment solutions exist for IoT devices specifically, so utilizing these to paint an accurate picture of your organization’s risk profile will be a critical step toward controlling the remediation deficit.
Organizations must then prioritize. Most security teams are stretching their workforce as it is, so it’s essential to identify those threats that represent a real risk to business operations and are likely to be exploited to make the process of remediation more manageable. Guidance like the CISA catalog can help provide context for this process, but each organization’s priorities will be distinct based on their own IT environment and how it serves business operations.Â
We mentioned earlier that part of the reason for such a deficit is that vulnerabilities accumulate faster than humans can patch them. This is why security teams must leverage automation as a significant part of their IoT defense strategy. Automated firmware update and patching solutions are a good example, as manual updates to IoT networks operating at scale are not achievable with any kind of efficiency or efficacy. Using certificates to authenticate IoT devices can prevent man-in-the-middle (MITM) attacks, encrypt device traffic, and help move the IoT dimension of the business closer to a zero-trust environment, a dynamic that should be a broader IT security goal for organizations in general. Extend corporate governance policies to all network-connected devices so that security controls can go where sensitive data goes.Â
See More: Building Tech Skills for the Future with IoT
IoT devices must be incorporated into organization-wide risk assessments and prioritization – especially as the IoT attack surface grows (as it does every day). It must be factored into the broader strategic planning of the organization. To neglect it is to leave open a door that would-be burglars have been informed about already.Â