IoT devices entering enterprises, opening company networks to attacks
OpenDNS released The 2015 Internet of Things in the Enterprise Report, a worldwide data-driven security assessment of Internet of Things (IoT) devices and infrastructure found in businesses.
Using anonymized data from the billions of Internet requests routed through OpenDNS’s global network daily, the report details the scale to which IoT devices are present in enterprise environments and uncovers specific security risks associated with those devices. Key findings indicate IoT devices are prevalent in highly regulated industries, and infrastructure supporting those devices are vulnerable to well-known and patchable security flaws.
Authored by Director of Security Research Andrew Hay and other members of the OpenDNS Security Labs team, the report includes the following notable findings:
- IoT devices are actively penetrating some of the world’s most regulated industries including healthcare, energy infrastructure, government, financial services, and retail.
- There are three principal risks that IoT devices present to the enterprise: (1) IoT devices introduce new avenues for potential remote exploitation of enterprise networks; (2) the infrastructure used to enable IoT devices is beyond both the user and IT’s control; (3) and IT’s often casual approach to IoT device management can leave devices unmonitored and unpatched.
- Some networks hosting IoT data are susceptible to highly-publicized and patchable vulnerabilities such as FREAK and Heartbleed.
- Highly prominent technology vendors are operating their IoT platforms in known “bad Internet neighborhoods,” which places their own customers at risk.
- Consumer devices such as Dropcam Internet video cameras, Fitbit wearable fitness devices, Western Digital “My Cloud” storage devices, various connected medical devices, and Samsung Smart TVs continuously beacon out to servers in the US, Asia, and Europe–even when not in use.
- Though traditionally thought of as local storage devices, Western Digital cloud-enabled hard drives are now some of the most prevalent IoT endpoints observed. Having been ushered into highly-regulated enterprise environments, these devices are actively transferring data to insecure cloud servers.
- Finally, a survey of more than 500 IT and security professionals found that 23 percent of respondents have no mitigating controls in place to prevent someone from connecting unauthorized devices to their company’s networks.
“This report shows conclusively that IoT devices are making their way into our corporate networks, but are not up to the same security standards to which we hold enterprise endpoints or infrastructure,” Hay said. “Our hope is that by using this report, security professionals and researchers can better understand the security implications of the IoT devices in their own environments.”
The report is extensive – 70+ pages – and definitely worth a read. It also provides infosec pros with recommendations for mitigating IoT-related risks found in their own networks.
It can be downloaded from here (registration required).
In conjunction with the research findings, OpenDNS has also released an update to its Cloud Services Report feature that can now detect IoT-related traffic on enterprise networks. The traffic detection tool allows security professionals to discover whether employees are using cloud services that are sanctioned by a company’s IT department or other, unapproved services.