Sensors as blind spots in IT security?

Networking through IoT devices is continuously increasing. The experts from IoT Analytics predicted in December 2021 that the number of active endpoints worldwide would increase by nine percent to 12.3 billion devices by the end of the year. Accordingly, the total number of connections would be over 27 billion in 2025. Companies in Industry and healthcare have increasingly implemented devices, including simple sensors or IP cameras, that are connected to the central corporate network. Even small and medium-sized enterprises are opening up more and more to the Internet - often without a corresponding IT security plan and with few defensive resources.

Sensors and IoT hardware as entry points

IoT hardware is an attractive target for hackers: They hijack IP cameras with a connection to the corporate network for botnets in order to then carry out denial-of-service attacks via them. Private routers or other IoT devices in the home office are a widespread threat. Attackers can use them to gain access to the central IT infrastructure in the company. Ultimately, even small gaps open the doors and gates for far-reaching hacking activities.

There are several reasons why sensors and IoT hardware are a weak point in IT defenses: Many administrators often don't know which devices are part of their network. In addition, companies use the devices as long as they somehow function - longer than the manufacturer intended. If the manufacturers then no longer support such systems, these devices grow into a security vulnerability, especially since users often do not update the devices. If there are any updates at all.

Examine data traffic for anomalies

Those who want to detect and defend against the exchange of commands between sensors and command-and-control servers or lateral movements for malicious purposes at an early stage need immediate access to IoT devices. If devices have an IP address and are part of the enterprise network, NDR can see and evaluate traffic from the IP video camera, sensor on the shop floor, or smart door lock.

The fingerprint of anomalous communication with managed IP-based IoT devices clearly stands out from normal data traffic: Sensors in production, for example, regularly deliver small packets to central systems and application in secure standard operation and hardly ever receive data packets back - apart from an update. In contrast, there is no data to be transmitted externally, unless a supplier wanted to send data to the partner. However, an analysis of network traffic trained by artificial intelligence and machine learning detects unanticipated events and sounds the alarm.

Six tips to detect, analyze and defend against attacks from the Internet of Things

At the same time, IT administrators should follow this advice to fend off attacks from the Internet of Things:

1. Segment enterprise networks: IoT devices should move in their own network. To collect and forward data locally, a guest network is sufficient. Access to such a network or conspicuous patterns in the data traffic between IoT and central network can then be efficiently seen and monitored.
2. Zero Trust as basic protection: No access of an IoT device should be allowed unchecked. This default access control creates immediate security and prevents a proliferation of IoT hardware with access to the network.
3. Virtual patching: A virtual patch in an application firewall helps control the traffic of non-upgradeable or manageable IoT devices with the network. They resolve existing security issues via firewall-level blocking.
4. Immediate action must follow an alarm: Anomalous patterns of traffic on the network must trigger defensive measures through firewalls, antivirus, endpoint detection and response, or identity management. Blocking systems or an automatic snapshot backup at the first occurrence of a supposed attack and during preparations are automated immediate measures to prevent damage.
5. Build a comprehensive defense strategy: If IT systems are not part of the corporate network, IT administrators can theoretically install a sensor of an NDR locally, which entails high costs and administrative effort. Other security technologies therefore play an important role, for example, in the case of the unmanaged home router: An EDR client provides immediate protection for this endpoint.
6. Analyze events to prevent tomorrow's attacks: If NDR has blocked an attack with the help of other technologies, the analysis of the incident plays an important role in closing the gap and preventing follow-up attacks. The paths of an attack, which Network Detection and Response records in a timeline to and from the outside as well as within the system in a mirror of all traffic, remain visible. Artificial intelligence and machine learning also create new attack patterns of traffic that may indicate an IoT attack and help with future defenses.

Detect traces in data traffic

The threat from the Internet of Things quickly overwhelms IT teams with limited human and technical IT resources. But every time IoT is the launching point for an attack on core IT infrastructure with systems, applications, and corporate knowledge, these events map to traffic. Network Detection and Response, which develops normal models of traffic based on AI, machine learning, and threat intelligence, sounds the alarm when anomalies occur and performs automated defenses. Such defenses are now within reach for small and medium-sized enterprises.

Author:
Paul Smit is Director Professional Services at ForeNova B.V. This company is a fast-growing cybersecurity specialist that offers affordable and comprehensive Network Detection and Response (NDR) to mid-sized companies to efficiently mitigate damage from cyber threats and minimize business risks.