According to Dark Reading, a new Ponemon Institute report states that a majority of companies rely on legacy technologies such as network firewalls and intrusion prevention systems (IPS) to ward off cyber threats such as malware, ransomware and distributed denial of service (DDoS) attacks. Apparently, their legacy technologies still do not make them feel secure, because article states that an overwhelming majority (94%) of those surveyed believe that in the next two years unsecured IoT devices and IoT applications will likely lead to a catastrophic event; data loss or theft (78%); DDoS attack (76%); and a cyberattack (76%).
The report, “The Internet of Things (IoT): A New Era of Third Party Risk,” which is based on a survey of risk security professionals, suggests that “companies need to track third-party IoT devices and IoT software connecting to their network and provide a way to centrally monitor their activities.” The survey found that only 48% tracked their IoT devices in the workplace.
IoT devices are often hacked for two reasons: 1) manufacturers sometimes do not build in proper security architecture for their IoT products; 2) end-users don’t change the default user passwords on their IoT devices. Like many other IT experts, we at Corero strongly believe that manufacturers should build better security into the devices, and end-users, whether they are consumers or enterprises, should update the password on each device from the manufacturer’s default setting.
This Ponemon research is important, because unsecure IoT devices are the cause of many IT security problems, and good governance would be helpful for all, because an infected device might not be used against the company that owns it, but it could be used as part of a botnet that affects another company halfway around the world.
In enterprises, the stakes are even higher, so as the Ponemon study suggests, it is important for enterprises to go further, and manage/monitor their IoT devices. Realistically, however, with the billions of IoT devices worldwide, thousands cannot be patched to the latest security standards, and thousands won’t be properly secured by their owners. So hackers have plenty of IoT devices to recruit.
At Corero we have long-anticipated the parallel growth of IoT devices and DDoS attacks; indeed, the largest DDoS attacks ever recorded, such as the now-infamous 1.2Terabit per second DDoS attack on domain name service provider Dyn in October 2016, were fueled by un-secured IoT devices that were harnessed by the Mirai botnet code to form a botnet “zombie army.” We can safely predict that even larger attacks—in the multi-terabit scale—will soon become more common because the number of IoT devices is growing exponentially worldwide.
Even though a company may practice good IoT hygiene, they cannot protect their network from DDoS attacks. It’s essential to improve the company network’s defenses; neither a firewall nor an IPS is sufficient; both can be taken down easily by a small DDoS attack. No one can control the security of IoT devices that they don’t own, but you can control your enterprise by implementing real-time, automated DDoS protection.
For more information, contact us.