By Paul Williams, Country Manager - SADC at Fortinet
The arrival of Internet of Things technologies might not significantly change the mode of attack used by cybercriminals, but it does increase the risk exposure of both enterprises and individuals.
With every object connected to the Internet, every IoT device becomes a potential gateway to the enterprise as well as a potential target for attack. In 2015, some large local enterprise came under a DDoS attack that targeted its internal systems, for example. For the best part of a day, the enterprise could not trade. Incidents such as these highlight what can go wrong when IoT-enabled enterprises come under attack in the future from cybercriminals, competitors, activists or disgruntled employees seeking revenge.
In the past, DDoS and other type of attacks might have shut down websites or trading systems to fairly devastating effect. In future, when all IP devices are connected, you could find attackers targeting everyday objects – point of sale systems; branch office alarms and CCTV cameras; building management systems; sports stadium access gates; healthcare equipment like pacemakers and heart monitors; logistics control systems and utilities to mention a few. In people’s homes, smart TVs might be accessed to steal the user’s identity and commit fraud, children’s monitors and wearable’s might be accessed in order to track their movements; in-car systems might become vulnerable to attack. Because IoT is still in its early stages, the extent of the crimes that could be committed using IoT technologies is not yet known, but it is clear that hacking for profit or revenge will become a whole lot easier when everything is connected.
Preparing to benefit from the advantages of IoT while still ensuring that individuals and enterprises are kept safe from cyber attackers demands action at a number of levels: for one, a national regulator should be put in place to oversee internet security standards and governance of stakeholders such as broadcasters, telecommunications companies and ISPs.
Heightened awareness is needed on the part of enterprises implementing IoT solutions – multiple layers of security will be necessary across all smart devices, their associated networks and even their cloud-based management tools. Enterprises will have to step up their monitoring of both active traffic and historical traffic on Internet pipes and local area networks and look at sandboxing tools and real-time monitoring of security devices. Companies currently using two-factor authentication might consider moving to three factor authentication that includes a biometric component, to improve user authentication.
To secure the data centre, automation and software defined networking, internal segmentation firewalls that control access by users, devices and network domains to ‘containerise’ the user, rather than attempting to lock down the enterprise within a perimeter, and full visibility and management of the distributed environment off a single pane of glass become increasingly important. Enterprises also need to revisit both skills development and staff training continuously. Security and data access policies and procedures need to be clearly spelt out to employees whenever new legislation comes into effect, and whenever new operating systems or applications are introduced or new cyber threats emerge.
To mitigate this plethora of new threats demands a range of high end niche security skills to implement and manage the multi-layered security environment, but many of these skills are difficult to source and keep in-house. For this reason, many local enterprises are now turning to specialised risk and security consulting firms to oversee critical security projects and risk management.