In October last year, security researchers at both Check Point and Chinese security company Qihoo 360 Netlab discovered a new IoT botnet that they said was “more sophisticated than Mirai” and had been found on millions of IoT devices including routers and IP cameras from companies including GoAhead, D-Link, TP-Link, Avtech, Netgear, MikroTik, Linksys and Synology.
The researchers warned that threat actors behind the botnet could cause greater damage than Mirai and could essentially take down the Internet by recruiting IoT devices in the millions.
If we go by a new report from Infoblox, even though organisations are embracing IoT devices on a grand scale, most of them are either impervious to such warnings or do not believe that hackers can truly cause havoc by hacking into IoT devices.
A survey carried out by the firm revealed that in the UK, the United States and Germany, 35 percent of large organisations had more than 5,000 non-business devices connecting to their networks each day, and 10 percent of them had over 10,000 such devices connecting to their networks on average.
Over half of small businesses with 50 to 99 employees had more than 1,000 business devices connecting to their networks and similar was the case with one in every four small businesses with 10 to 49 employees, signifying how reliant organisations are on IoT devices for increased performance and efficiency.
In the UK and the US, around 39 percent of employees connect IoT devices to their organisations' networks to access social media, 24 percent do so to download apps, 13 percent to download games and seven percent to download films. External devices connected to enterprise networks range from fitness trackers such as FitBit or Gear Fit, digital assistants such as Amazon Alexa and Google Home, smart TVs, smart kitchen devices, and games consoles such as Xbox and PlayStation.
Even though thousands of such smart devices are being regularly connected to enterprise networks, a significant percentage of organisations either do not have security policies for connected devices, or their employees do not follow existing policies by the book.
While 24 percent of IT leaders from the US and UK surveyed by Infoblox did not know if their organisation had a security policy, 20 percent of them in the UK said they rarely, or never followed such policies. According to researchers, such non-adherence to security policies is exposing organisations to social engineering hacks, phishing, and malware injection.
"Vulnerable connected devices are easily discoverable online via search engines for internet-connected devices, like Shodan. Even when searching simple terms, Shodan provides details of identifiable devices, including the banner information, HTTP, SSH, FTP, and SNMP services.
"And, as identifying devices is the first step in accessing devices, this provides even lower level criminals with an easy means of identifying a vast number of devices on enterprise networks that can then be targeted for vulnerabilities," they warned, highlighting the fact that in March, there were 5,966 identifiable cameras deployed in the UK, 1,571 identifiable Google Home deployed in the US, and 2,346 identifiable Smart TVs deployed in Germany.
Not only can vulnerable connected devices be exploited by hackers to infiltrate an enterprise network and to exfiltrate data via DNS port, they can also be hijacked to leverage DDoS attacks by sending repeated and frequent queries that bombard the Domain Name Server (DNS), thereby inhibiting the ability of a network to process legitimate queries.
For instance, the Mirai botnet leveraged over 600,000 IoT devices to target DNS service provider Dyn in 2016. This resulted in the repeated interruption to Dyn's services and shutting down of popular websites including Twitter, Netflix, Reddit, and CNN.
"IoT devices are not protected by nature. We need them to improve our businesses and life, but they are a very easy attack surface, and by far the easiest way to get into an organisation, enabling hackers to scan your network, install malware, conduct reconnaissance, and exfiltrate data by bypassing other security mechanisms," said Daniel Moscovici, co-founder of Cy-oT, to SC Media UK.
"The real risk is the fact that these devices are an open door in and out of an organisation. For example, if a hacker is able to infiltrate a video camera, they would be able to steal your pictures and videos; however, this is not the main issue. More importantly, the hacker can reach your more sensitive assets by accessing your network though an insecure device."
The report also revealed that a number of organisations, especially those in the healthcare industry, are now taking steps to strengthen the security of their enterprise networks. While 85 percent of them have increased their cybersecurity spending over the past year, 60 percent and 57 percent of them invested heavily on antivirus software and firewalls.
At the same time, half of organisation have invested in network monitoring, one third have invested in DNS security solutions to disrupt DDoS attacks and data exfiltration, 37 percent have taken steps to secure their web applications, operating systems, and software, and a third of them are investing in employee education, email security solutions and threat intelligence. However, Moscovici believes these steps aren't enough.
"We have seen organisations investing a lot of money in mechanisms to protect their networks, perimeters, and endpoints, so attackers will use the path of least resistance in terms of attack surface – connected devices, especially in a wireless environment. However, organisations are unaware that it's not only the corporate network that is in danger; its airspace is also under threat. Hackers can connect via P2P directly to these assets and, from there, get into the corporate network.
He added that while many connected devices have built-in vulnerabilities, they can also be exposed through unsecured cloud or web application services, and sometimes wireless networks surrounding IoT devices are also highly unprotected.
"What is needed is a dedicated cyber-security solution that monitors both the IoT device and its activity 24 x 7, and can neutralise the threat. By doing this, an organisation will be able to detect when and which devices are at risk, as well as mitigate the threat in real time without physically looking for it. The answer does not lie within the device itself, but with a solution that brings your Security Operations Team visibility and control," he added.
Commenting on the widespread use of vulnerable connected devices, Alex Hinchliffe, threat intelligence analyst at Unit 42 of Palo Alto Networks, said that the proliferation of IoT expands the attack surface for enterprise networks.
“Our own research recently into the Satori malware family demonstrates that IoT malware is evolving all the time from the simple password brute force attack to the vulnerability exploit attack. It would be a notable trend if IoT malware authors continue to rely on using more known vulnerabilities or discovering zero-day vulnerabilities to attack IoT devices.
“Complete visibility is crucial for security teams trying to prevent these attacks. You cannot prevent attacks you cannot see. Visibility and zero-trust network design are critical, to safe guard users, their devices and other corporate assets and to see who's doing what, where and with which devices.
"The move to a classic zero-day attack against unknown, unpatched vulnerabilities is a logical next step on the part of attackers, which is why security policies for connected devices are essential, and these have to be correctly communicated to staff as well as being built into security systems. Enforcing policies requires a mix of company processes and technology to successfully implement them," he added.
Is Zero Trust really achievable given the complexity in finance service organisations?
Brought to you in partnership with Forescout