The latest study of cybersecurity firm Palo Networks strengthened the longtime fear that the Internet of Things (IoT) would mean the expansion of cyber attack surfaces. The firm warns technology leaders that inconspicuous smart devices such as connected cars, implanted heart monitors, and even “connected trash cans.”
Palo Alto Networks’ threat intelligence unit Unit 42 said threats continue to evolve to target IoT devices using new sophisticated and evasive techniques, such as peer-to-peer command and control communications and worm-like features for self-propagation. Coupled with a weak device and network security posture, attackers have ample opportunity to compromise IoT systems.
“2020 Unit 42 IoT Threat Report” states that 57% of IoT devices are vulnerable to medium- or high-severity attacks, making IoT the low-hanging fruit for attackers while 41% of attacks exploit device vulnerabilities, as IT-borne attacks scan through network-connected devices in an attempt to exploit known weaknesses.
Palo Alto Networks commissioned technology research firm Vanson Bourne, which polled 1,350 IT business decision-makers in 14 countries across Asia, Europe, the Middle East, and North America.
As IoT, or billions of devices connected to the internet, becomes the norm, the amount of data that travels across various networks is too tempting to pass up for cybercriminals. In the Palo Alto Networks’ survey, one red flag emerged: 41% of respondents said they need to make a lot of improvements to the way they approach IoT security, and 17% said that a complete overhaul is needed, amounting to more than half of those polled.
It means that even if IoT talks have been going around for years, some organizations didn’t make enough preparations for this “phenomenon.”
Nearly one in four of those surveyed at organizations with at least 1,000 employees reported that they have not segmented IoT devices onto separate networks, which is a fundamental practice for building safe, smart networks. Only 21% reported following best practices of using micro-segmentation to contain IoT devices in their own tightly controlled security zones.
“Traditional networks are ill-equipped to handle the surge in adoption of IoT devices,” said Tanner Johnson, senior cybersecurity analyst at Omdia. “Device behavior baselines need to be established to allow for new recommended policies to help stop malicious activity. For instance, it would raise a flag if a connected thermostat started transmitting gigabytes of data to an unfamiliar site.”
Business Insider Intelligence forecasts there will be more than 41 billion IoT devices by 2027, up from 8 billion last year.
The threat is even more pronounced now that a significant percentage of employees are working from home using their own devices or connecting corporate devices onto unsecured routers where other home devices are also connected.
“Devices that employees innocently bring onto an organization’s network are often not built with security in mind and can be easy gateways to a company’s most important information and systems,” said May Wang, senior distinguished engineer at Palo Alto Networks. “To address that threat, security teams need to be able to spot new devices, assess their risk, determine their normal behaviors, and quickly apply security policies.”