The Internet of things (IoT) is not on its way to the enterprise, it has already arrived. And the personal cloud storage devices, fitness trackers, smart watches, and myriad other devices with newfound connectivity present new risks and challenges for IT departments charged with protecting their enterprise networks. This is all according to a report on IoT released by OpenDNS last week.
Specifically, the report lays out three distinct, “principal” risks for enterprises housing these devices:
- IoT devices introduce new avenues for potential remote exploitation of enterprise networks
- The infrastructure used to enable IoT devices is beyond the control of the user and IT
- And IT’s often casual approach to IoT device management can leave devices unmonitored and unpatched
New Avenues for Remote Exploitation
Like any laptop or server, IoT devices allow traffic to flow both to and from the Internet, which creates a new entry for attackers to exploit and gain entry into protected networks. This is a problem for enterprise security teams, according to Mark Nunnikhoven, senior security researcher at OpenDNS and contributing author to the report.
“Some of these devices use an easily remembered domain name to allow the user access,” Nunnikhoven said. “That’s great for the user but also for the attacker. An attacker can collect these names and use them to attempt to access the storage directly.
He added that unless security teams are aware of and monitoring these devices, they may not see what could be a potentially
large data leak. And some of the devices examined for the IoT report are vulnerable to “widely known” security flaws like FREAK and Heartbleed, which have been in the news for months.
Outside IT’s Control
When a vulnerability becomes well known and a patch is released, it relieves the potency of potential attacks that exploit it. But what happens when those attacks are perpetrated on infrastructure outside IT’s control? And how does an IT professional patch vulnerable devices that don’t belong to the company but to employees who brought them in the door?
Device manufacturers do not seem to be chomping at the bit to take responsibility for the security of these devices, and so far even enterprise IT and security departments are unsure as to who should assume ownership of them.
According to OpenDNS’s report, these are issues companies need to consider and plan for as IoT gets more popular and more pervasive. Nunnikhoven said the lack of control over these devices forces a level of trust most IT and security professionals would not be comfortable giving.
“IoT devices collect a lot of data. That data is typically stored and processed in the cloud via a service provided by the device manufacturer,” Nunnikhoven said. “These systems are outside of the control of the user and security team’s control. Unless
you completely block the service–which is not usually the right answer for anyone–you’re at the mercy of the provider.”
A Casual Approach to a Serious Issue
Because IoT devices like thermostats, smart watches, fitness trackers, and connected personal storage devices are marketed and largely developed for consumers, that is how they are most often regarded, as gadgets or toys. That attitude carries over into the work world as more employees bring connected devices inside company walls.
One of the main issues when it comes to patching and updating IoT devices–an issue Google recently got involved in with the launch of Brillo–is there is no central management for them. Typically each device is a completely isolated connection that needs direct contact to update or patch.
“ Given the personal nature [most] IoT devices, IT teams are completely out of the loop,” Nunnikhoven said. “This creates a really bad scenario when a security vulnerability is found. You’re reliant on the manufacturer issuing a patch, someone discovering that patch, and then the user installing the patch. That runs counter to security best practices and creates a lot of effort for IT teams to keep on top of the state of these devices.”
The 2015 IoT in the Enterprise Report suggests that IT organizations be out in front of IoT’s emergence on their networks, stating devices that connect to the internet, personal though they might be, need to be monitored and managed as closely to enterprise-grade IT equipment as possible.
For more on the Internet of things and the risks connected devices pose to the enterprise, read the 2015 Internet of Things in the Enterprise Report report here.