Cybersecurity awareness and IoT security
October is recognized as CyberSecurity Awareness Month (NCSAM) in the US and CyberSecurity Month (ECSM) in the EU. These are collaborative efforts between governments and industries to raise awareness about various cybersecurity issues and to educate members of the public so that they can do more to keep themselves safe online.
In the United States, there are several themes to NCSAM, and normally each week in October will focus on one specific theme. This year they have organized it a little differently, focusing on three pillars of security: Own IT, Secure IT, Protect IT.
The Internet of Things, IoT, refers to the objects and devices that are connected to the Internet or to an Internet-connected network. These "things" include cable modems, routers, security cameras, smart TVs, home assistants like Amazon Echo, doorbells like Google Nest, and smart refrigerators like this that can send alerts to your mobile phone. Even cars that send diagnostic information to your email or phone are part of the Internet of Things.
Regardless of how many smart devices you use in your home, the Internet of Things is thriving and growing all around you. Governments are turning to "smart city" devices to help with infrastructure management, public security, utility consumption, traffic flows, and emergency response and communications. Rural areas are also using Internet-connected devices to monitor things like utilities and local weather. There is also widespread use of IoT in business and industry: cameras and alarms protect sensitive areas, SCADA systems manage industrial, infrastructure, and facility processes, and GPS systems identify routes and track deliveries.
So what's the big deal about all of these "things"? There are a handful of problems:
- There are so many of them. Gartner estimates there were 11.2 billion devices in 2018 and that number will grow to 20.4 billion in 2020. The only thing certain about that number is rapid growth, though. Cisco's estimate for 2020 is 50 billion connected IoT devices.
- Many of them are old and have not patched or replaced in years.
- Most do not require security controls such as default password changes or complex passwords.
- They are often "rogue," meaning they have been added to networks without the IT manager's input or knowledge. Something as simple as a thermostat replacement in a business office could introduce unmanaged IoT into the network.
- If one actor is able to compromise enough of these devices, he can create a powerful attack. In 2016 the Mirai botnet was used to launch a DDoS attack against Dyn, an infrastructure provider that supported sites like Twitter, Reddit, and GitHub. All of these sites were unavailable or operating at diminished capacity until the attack was mitigated. (Here is the creator of Mirai pleading guilty for related attacks)
- A small number of critical devices with the right connections can do massive damage. This is what happened with Stuxnet, which was a matter of several PLC controllers being connected to a standard PC. Although the PC was believed to have been infected with a USB drive, this is a good example of how a small number of insecure smart devices can be hijacked due to poor security.
It's possible that one of your devices is compromised and participated in an attack, and you might never know.
[perfectpullquote align="right" bordertop="false" cite="" link="" color="" class="" size=""]
Related Barracuda research
Threat Spotlight: IoT application vulnerabilities leave IoT devices open to attack
So what can you do to make sure that your devices are as secure as possible? The easiest and most important step is to change the password on the device as soon as you have it configured for use. Default passwords are usually publicly available, either through user manuals and tech support sites, or mega-lists compiled for use by System Administrators who regularly work on these devices. If an attacker comes across your device and you're still using the default password, there's very little left to protect you from an attack.
Since many IoT devices are controlled by mobile apps, be sure to monitor these apps to make sure they are not abusing permissions on your phone or tablet. Make sure that you are only using verified apps to control your devices.
Keep your user manual or make sure you know how to check for updates for your device. If the device cannot be updated, consider replacing it with something that is properly supported by the manufacturer.
A final piece of advice is to make sure that your network is secure. Follow best practices for passwords, use endpoint protection, enable the firewall on your router, and consider segmenting your network in such a way that separates IoT devices from anything that contains sensitive information or applications with special privileges. For example, you may want to maintain separation between security cameras and devices like Chromecast streaming media player.
Security for IoT devices used in business and government can be more difficult and more important because of the nature of the devices they use. These can be anything from fuel pumps to payment systems to licensing kiosks to cash machines. Basic security rules still apply, but there are also special firewalls that will monitor and protect these devices at all times. If you are in the position of managing critical devices like this, CyberSecurity Awareness Month is a good time to evaluate the security on each device and make sure your network is fully protected.
Visit the National CyberSecurity Awareness Month website to learn more about the three pillars of security and the Internet of Things (pdf).
The European CyberSecurity Month website has more information on the efforts to raise awareness in the EU.
For a cool background on IoT firewalls, see this blog series on our role in creating the first IoT firewall. For information on Barracuda Internet of Things security, visit our website here.
This project is in line with the Awareness Raising workstream of the EU-U.S. Working Group on Cyber security and Cyber crime established in the context of the .
To read more on the National Cyber Security Awareness Month and the National Cybersecurity Awareness Campaign - - organised in the United States and the National Cyber Security Awareness Week organised in Australia, please click on the above links.