The Cyber Threat of the Future: Anatomy of an Internet of Things (IoT) Attack

Internet of Things (IoT) has been dominating conversations in the tech industry for some time now. The interconnectedness of an IoT network offers streamlining capabilities that are attractive to individuals and businesses alike. Using technology to make life easier – at home or in the office – is a huge plus. However, considerations must be made for how an increase of connected devices also increases cyber-risk, making IoT networks more vulnerable to cyber invasions and infections.

[youtube]What is Internet of Things (IoT)? How Digital Connection and Transformation is Taking Shape in Business

Simply put, the Internet of Things (IoT) is any network of physical devices that contain embedded technology which enable varying degrees of internet access, communication, command and control. Connected physical devices include traditional machines like laptops, and tablets, but goes further to include a variety of other non-traditional devices including vehicles, thermostats, appliances, wrist watches, manufacturing equipment, medical devices and more.

For business owners, IoT offers huge streamlining capacities that pack a productivity punch. By having all business devices and equipment synced with internet access, communication and collaboration is easier and work gets done faster. In turn, business owners reduce overhead costs and can take on new business. Technological transformation like this can truly transform the way organizations do business.

Though it may seem futuristic, the last few years have been huge for the actual implementation of IoT, driven by cost reductions and compelling business case value. There has been a transition from ideas and prototypes to production and implementation. On the market smart-cars and wearable devices with embedded systems are readily available. Business owners in every industry are looking for the ways to best capitalize on IoT technology. However, as IoT explodes onto the scene, many of these networks simply will not have adequate security, leaving businesses more susceptible to cyber invasion.

Anatomy of an Attack: How IoT Devices Put a Cybercrime Target on Businesses

TrapX Labs, a leading Cyber Security company in the US published a 2013 report detailing the specific ways in which IoT devices significantly increase cyber risk for businesses.

“The vast majority of IoT devices provide a wide-open door to advanced attacks, persistent threats and other sophisticated malware,” says TrapX Labs Vice President, Founder and Security General Manager, Moshe Ben Simon. “Cybersecurity must be designed into these products initially. Without this design and implementation, these devices will present a huge potential risk to your organization, your employees, your business partners and your customers.”

Cybercriminals are getting more sophisticated and malicious by the day. The ways in which these seasoned professionals can gain access to your company data are endless, but here are a few of the leading ways IoT hacks and attacks take shape:

  • Botnets

Botnet attacks, also referred to as ‘thingbot attacks’, specifically target networks of connected computers and smart devices to infect them with malicious software. Once infected, criminals can seize control of the entire network without the owner’s knowledge.

This can result in a variety of damaging impacts to business networks including the wiping of data, the sending of inappropriate spam messages as well as identity and data theft. IoT networks are at increased risk simply because botnets are able to access and control more than just computers and laptops. They can get their hands on every device connected to the network, leaving endless opportunities to disrupt or rob a business.

  • Data/Identity Theft

As with all forms of cybercrime, a leading motivation is the accumulation and theft of useful data. This could be business data, but often cyber criminals seek out identity details to steal individual identities for financial fraud. The risks are even higher with the implementation of IoT, because obtaining these details becomes easier.

Between a little online research into social media accounts, general Google inquiries and the ability to hack into non-traditional, less-monitored devices like office thermostats and smart-watches, becoming someone else is made much easier thanks to IoT networking.

  • ‘Man-in-the-Middle’ Attacks

The man-in-the-middle concept occurs when cybercriminals hack a network with the intention of intercepting communications between two systems. This can be incredibly damaging as it gives criminals the opportunity to trick parties into thinking they are having a legitimate communication exchange when they aren’t.

This means clients could think they are communicating with your company, when really, they’re giving valuable information directly to criminals, without your knowledge. This is even more dangerous with IoT networks, as it leaves an open door for cybercriminals to intercept communications with company smart devices like manufacturing machines, connected vehicles or smart TV’s.

  • Social Engineering

Anyone with even a base-line understanding of cybercrime trends knows a little bit about social engineering scams like phishing emails. Criminals send convincing looking communications to clients and team members, often posing as a high-level company representative. The communications request details from recipients that could include anything from banking info to confidential company data.

Social engineering scams are even scarier when it comes to IoT networks because of the varied ways criminals can stay connected once they gain access. Even with phishing protections in place, if a single, unmonitored connected device is missed, criminals can hold onto network access. This means even if an office has protected all their computers, tablets and cellphones to prevent phishing scams, but forget about the smart TV’s and thermostats that are also connected, cyber criminals can keep hold on their network access to attack again.

  • Denial of Service

A Denial of Service or DoS attack occurs when regularly functional services are rendered unavailable. Using a botnet, cybercriminals use a variety of programs to attack one specific target, often by overloading the service target with requests. This results in capacity overload and the service becomes unavailable to those who regularly rely on it.

Unlike phishing scams, the goal of DoS attacks is not to steal data or identities, but rather, it is to completely disable businesses from operating. With IoT networks, more devices are connected meaning more services are open targets for criminals looking to shut down functionality. While businesses may not experience material data or financial losses, the hits to business continuity and reputation can be catastrophic.

Staying Protected: Strategies for Mitigating IoT Risks

So, the challenge for business owners becomes clear: how does an organization take advantage of the benefits of IoT network devices without putting their data and continuity at significant risk?

Thinking about deploying IoT technology to streamline operations at your organization? Be sure to consider the follow security strategies before you build your network:

  • “Security by design” – choose your devices wisely:

Like with all areas of IT, proactivity with IoT security is absolutely critical. The first thing that business owners/operators can do to build strong IoT security is to choose connected devices that have been designed with security in mind.

Professionals should do their research to choose products that have incorporated security considerations in all stages of design and production, from prototype to production. Addressing security concerns only at the end of the development cycle is risky and doesn’t provide the same protection as devices that have been developed with deliberate and proactive security considerations from the first step.

  • Rethink operational realities:

Implementing an entirely new way of networking, that connects a variety of newly connected equipment means business operators need to rethink the operational reality of their organization. Continuously monitoring the IoT’s operational health as well as its security health becomes crucial.

Implementing IoT proves to be a big data challenge that will require big data security. Don’t rely on haphazard monitoring and security protocols to take on this challenge. Deliberately designing failure-survival plans to ensure resiliency is key. New operational tools should include anomaly detection capabilities, enabled by machine learning and the implementation of effective and efficient responses.

  • Learn from the past:

When thinking about technological evolution, there is a linear progression that professionals can learn from. When mobile and cloud computing came crashing onto the scene, business professionals had to adapt their security protocols and many learned hard lessons during the transitions. Furthermore, the lessons learned from cyber-physical system (CPS) attacks in the past, serve as important precursors for understanding IoT security.

  • Implement threat models and attack drills:

Just like fire or military drills, implementing threat models and attack drills for IoT security is one of the best ways to be prepared for the worst-case scenario. Setting up training programs for employees that implement attack drills is one of the best ways for users to understand how attacks work and best apply strategies for prevention, detection and protection.

  • Stay in the know – monitor trending threats and security standards:

It may sound cliché, but there is no denying that when it comes to IoT security, knowledge is power. Staying in touch with the trending cyber threats that are wreaking havoc on business owners is a critical aspect of staying one step ahead of cyber criminals.

Additionally, staying in tune with professional security standards organizations is a fundamental part of being proactive in the face of increased risk. In fact, some business owners go a step further to join these security standards organizations in some capacity to ensure they are informed and can take advantage of the very latest tech security strategies on the market.

  • Continually educate system users:

A business owner’s employees and system users can either be the biggest line of defense against cyber invasion or they can be the biggest vulnerability. It’s up to business leaders to ensure that system users are informed and trained on how to navigate daily IoT operations in a way that safeguards the network and company data.

Implementing regular training protocols and keeping system users up to date on the latest threats and strategies helps to ensure that IoT security efforts are brought full circle and remain consistent through a business’s life cycle.

IoT – it’s a lot to take in. If you’re thinking about taking advantage of the streamlining and productive power that IoT networking offers businesses, that’s great! However, as outlined, it’s critical that you make deliberate and informed considerations about security. IoT isn’t your grandfathers network and it needs more than your grandfather’s security strategies.

Do your research and seek out consultation from local IT experts. Implementing IoT is all fun and games until you realize that security was vulnerable from day one. Don’t wait for a devastating attack to happen. By 2020, there will be over 30 billion devices connected to the internet. Step into the future safely and make IoT work for you.

IOT Attack