The Internet of Things (IoT) promises a host of benefits for companies, but as security experts have been quick to warn, it also brings a great deal of risk. Case in point? "Misfortune Cookie," a flaw discovered by Check Point Software that puts 12 million internet-connected devices in danger. The cookie has already left a bad taste in the mouths of IT professionals — but is it just the appetizer preceding a main course of IoT threats?
As the E-Commerce Times reported, a flaw in the code of popular embedded web server RomPager leaves it vulnerable to compromise. Used in millions of routers worldwide, the flaw makes it possible for a malicious actor to "take control of a router and use it to steal data from both wired and wireless devices connected to a network." Even worse? Ninety-eight percent of devices using RomPager haven't been updated, despite the fact that a fix has been available for this problem since 2005. According to Shahar Tal, Check Point's malware and vulnerability research manager, "Most people don't install upgrades to their firmware. That's why we believe this vulnerability will stay around for months and years to come." Simply put, IoT-type devices aren't viewed with the same kind of security suspicion as smartphones, tablets and wearables — after all, they're "only hardware," right?
ZDNet, meanwhile, points out that security companies are banking on a risky year for IoT, one where hackers increasingly target this connected network and security skills lag behind. The data comes from a recent Sophos report, which says the number of coding flaws in supposedly secure software is on the rise: "From Heartbleed to Shellshock, it became evident that there are significant pieces of insecure code used in a large number of our computer systems today." And while many of these flaws went unnoticed in locked-down corporate networks, the increasing number of IoT-enabled devices provides an entirely new avenue of attack that many companies aren't prepared to handle.
This new landscape leads to a critical question: Is there anything companies can do to protect themselves from hidden hardware flaws or software issues, or are they doomed to sweep up the pieces of broken networks?
The first step in defending against the Misfortune Cookie and other attacks is changing the way IoT devices are monitored. Currently, they're set apart from main systems, either on out-of-the-way network branches or in the hands of third-party providers. By relegating them to a lower threat tier than more conventional access points such as desktops and mobile devices, companies leave their doors wide open for attackers. And when malicious actors gain undetected access to corporate networks — even peripherally — they've got the advantage.
Once monitoring expectations are changed, enterprises must address the more technical issue surrounding processes: How do IoT devices become part of the loop? Here, the key is thinking outside standard security frameworks. By leveraging a cloud-based, end-to-end monitoring solution that addresses concerns on a per-app basis, it's possible to reduce network threats down to their most basic components, putting power back in the hands of IT admins. Addressing IoT security on a programmatic, proactive basis with the understanding that even "secure" systems may be nothing of the sort, it's possible to put all devices — regardless of their origins — on the same playing field.
Improve your fortune! Get IoT-ready by expanding your security ecosystem.
Photo Source: Flickr