The question above may seem like a false dilemma, but many of the organizations that stand to benefit from IoT technology face something of a Catch-22: They can exert great caution in deploying connected technology, thereby minimizing their chances security breaches, but also slowing them down, putting them at a competitive disadvantage. On the other hand, companies that are cavalier in how they deploy IoT technologies increase their risk of getting hacked.
A better option is to play hardball, being prepared for hackers while mapping out a strategy that leverages the power of IoT technology to drive ideal business outcomes. Hoping hackers won’t target you is a strategy doomed to fail. “If someone is targeting you, they are getting in,” says Michael Patterson, CEO of security firm Plixer. To prepare for cybercriminals, enterprises should closely monitor network traffic so that when the bad guys do get in, you can determine how and when it happened, and take steps to get them off the network as soon as possible.
Hold Tech Vendors Accountable
Of course, all of the responsibility shouldn't lie with the companies deploying IoT technology. IoT device makers should “take responsibility” by designing security into their products, recommends the analyst firm Juniper Research. The industry needs big-name vendors like Amazon, Google, and Samsung to help develop best practices for the entire industry, Juniper Research adds.
Plixer also suggests that ISPs get more involved in fighting DDoS attacks by following standards outlined in BCP38, a standard designed to prevent the spoofing of Internet traffic first described in 2000. The problem that a series of coordinated DDoS attacks could take down the Internet remains a possibility. Meanwhile, many ISPs eschew responsibility, Patterson says. “They are saying: ‘look, we aren’t the target of the DDoS attacks; we’re just hosting the machines that are participating in them.’”
Understand How Hackers Think
In one sense, hackers are like ordinary people. They get thrills out of finding a creative solution to a challenge. But unlike most ordinary people, they enjoy breaking the law.
If you go by the stereotype, a hacker is a lone-wolf type toiling away in a basement somewhere to cause havoc. Frequently, hackers form teams and collaborate to develop a plan of attack against a valuable target. Sometimes, they devote months or even years before they strike.
Many companies that develop connected technology underestimate them, thinking that a simple strategy will keep them at bay.
As a case in point: In January, President Trump recommended that the best way to keep information away from hackers is to use a huge air gap—for military networks and pretty much any other kind of system. “The problem is that hackers are figuring out how to jump air-gapped computers,” says Plixer’s CEO. “If they can infect computers with a USB, and infect the computer next to it, they can wirelessly pick up signals and figure out what data is on that computer.” For more evidence that air gapping isn’t bulletproof, just consider how much damage the Stuxnet virus did to the Iran’s air-gapped nuclear facilities in 2010.
The bottom line is: the threat is constantly evolving. The kinds of attacks are changing, as are the types of attacks. Several years ago, hackers often sought to get credit card numbers for self-enrichment. Now, however, banks have learned to react quickly at preventing and mitigating credit-card fraud. As a result, some hackers are looking for different targets—including healthcare. “The bad guys see healthcare as an extortion-rich target,” says Bob Noel, director of marketing and strategic partnerships at Plixer International. “Hackers know that, if they can breach healthcare institutions and cause havoc, those institutions will act quickly prevent or mitigate problems. They are more likely to cough up cash,” Noel says.
It’s for that reason that Noel expects a growing number of hackers to launch DDoS and ransomware attacks against healthcare institutions.
Beware of Script Kiddies
Here’s another fact: It has never been easier to become a hacker. There is a burgeoning community online of sites that help anyone interested in learning about cyberattacks download the code to launch them, or even find training from more experienced hackers.
There is a growing group of less-experienced hackers—pejoratively called “script kiddies”—who rely on online tools to launch attacks. Some of these people have visions of becoming more-adept hackers. “They are willing to pay for training,” Patterson says. “You have hackers who are skilled in the use of it are delivering online training at a cost to people who are unskilled.”
It is within one of these online communities that the code for the Mirai botnet first popped up. A Mirai-fueled DDoS attack knocked a chunk of the internet in October. “I expect a proliferation of unskilled hackers to leverage this Mirai code that could deliver attacks that could be unforeseen as could be the consequences,” Patterson explains.
Still, the amount of damage that a script kiddie can cause tends to be limited because they don’t tend to have access to the most powerful tools or mentors. “Some of the more experienced hackers would likely be very leery of new online personas reaching out to them for assistance,” says Thomas Pore, who works at Plixer’s cyber threat detection and incident response division.
Some of the people that use booters—online paid services used to launch DDoS attacks—are simply kids or gamers with mischievous intent. “For these kids, using a booter site is like the online equivalent of getting drunk. They can do it for less than $5, they have a good time, but most people don’t get hurt that bad when they do it,” Pore says. “Kids might use a booter to DDoS their school or gamers might do the same to a competitor.”
Gauging the Biggest Risks
While a gamer that uses a DDoS service isn’t likely to pose much of a threat, the fact that the source code for Mirai is freely available is a concern. “If you are building malware and you want to use it for gain, there is no reason not to add in Mirai,” Patterson says. “That is why you are going to see the proliferation of DDoS attacks in 2017. Bad guys could proliferate this using it as ransom. They could say: ‘I am going to take you down for three days before Valentine’s Day or Christmas unless you pay up.’”
Another wrinkle is that many companies launching IoT initiatives haven't had much exposure to cybersecurity before. And much of the equipment in facilities such as factories and hospitals is older and wasn't developed with built-in security.
In the end, organizations deploying IoT technology will have powerful technological tools—and enemies—to consider.