Vendors must step up to IoT security challenges - which are mostly basic

Opinion by Susan Bowen

Only by understanding the true nature of threats and the vulnerabilities they exploit can we hope to prevent them says Susan Bowen, adding, the reason why Mirai IOT attacks were so effective is the lack any form of embedded security.

There's a common misconception that as technology becomes more advanced, security threats become equally cunning and complex. As any security specialist knows, this simply isn't true - a single script kiddie can cause as much carnage as the most elaborately engineered piece of malware.

Perhaps it's vanity, but as an industry we seem reluctant to talk about how unsophisticated many of these threats really are - and this failure is doing a great disservice to our customers and to the wider world. Only by understanding the true nature of these threats and the vulnerabilities that they exploit can we hope to prevent them.

The Internet of Things (IoT) gives a great example of the mystique that's afforded to quite embarrassingly simple pieces of malware. Threats such as the Mirai botnet and, more recently, Brickerbot, are not especially clever or original pieces of software; the reason why they were so effective is that so many connected devices lack any form of embedded security.

We all know why new technologies tend to exhibit vulnerabilities: in the age-old battle between security and productivity, manufacturers are more focused on the immediate benefits that new technologies can bring to the customer, rather than protecting against security threats. The developers tasked with connecting everyday devices to the internet are being told to do it fast and cheaply, instead of creating secure, locked-down designs.

As a result, it doesn't take a genius to exploit the billions of new network nodes that make up the Internet of Things. In their report Understanding the Mirai Botnet, researchers commented that the virus' design was “strongly influenced by the market shares and design decisions of a handful of consumer electronics manufacturers”, while also noting the “rampant” use of insecure default passwords for connected devices such as printers, routers, and security cameras.

This leaves us in the absurd situation where businesses are investing in security technologies, such as Internet-connected cameras monitoring a server room, which themselves provide a yawning backdoor into the corporate network.

The technology industry in general, and security specialists in particular, therefore needs to do much more to educate businesses and their leaders about the real threats they face, such as the inherent vulnerability of devices that they are bringing into their wider networks.

Obviously there needs to be a technical element to these conversations, but to get CEOs and business leaders sufficiently engaged to take this issue seriously, technologists need to frame the discussion in terms of corporate risk management, rather than an issue that can be isolated to the IT department.

One advantage to come from increasing publicity given to high-profile hacks is that corporate leaders are increasingly aware of the potentially catastrophic operational and reputational effects of a successful exploit. This means they're more likely to listen to those advocating security solutions.

Businesses must be made to understand the holistic, interconnected nature of modern IT, and how each bit of kit, every vendor and supplier represents a potential vulnerability. Our industry must work hard to change the old, entrenched belief that you engage vendors to solve a particular problem - for example, that your network provider is responsible for nothing more than connectivity.

We need to be educating end users about every potential security weakness, and that includes enabling them to ask the right questions of every vendor and supplier to ensure that they do not introduce new vulnerabilities via the back door. This conversation is also critical for establishing procedures to reduce response times in the event of any breach, which is obviously key to mitigating the effect of malware.

Beyond that, we should be urging businesses to follow the three security principles that will bring the greatest protection from the widest variety of threats. First, ensure that you are fully protected from DDoS with actual threat mitigation, rather than just dispersal. Secondly, review your application security measures, and test that the Web Application Firewall is examining every packet for malicious content. Finally, ensure you protect endpoint security with an enterprise-grade product that covers the widest range of virus and spam, keep them fully updated, and check them regularly to monitor performance.

Dialogue and openness are two of the most powerful weapons we have against cyber-crime, so let us work to dispel the myths around IT security, and show just how easily some of these dangers can be defeated.

Susan Bowen, vice president & general manager, EMEA, Cogeco Peer 1

*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media or Haymarket Media.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews