Unless you’ve been sheltering yourself from the media, by now you’ve probably heard or read about “The Internet of Things,” or IoT. IoT is a bunch of “things,” also known as endpoint devices, that are connected to your network. IoT includes your servers, computers, mobile devices and any other device that connects to your network at any time. Just as there are now smartphones, there will soon be more “smart” devices that talk to other smart devices such as smart printers that let you know they’re running low on ink and send messages to other printers to print your job because the one you tried to print from is out of order. These devices will have operating systems behind them, such as Mac, Windows, Linux and others, and will have software that will need to be patched or updated. In a perfect world, these smart devices simplify our lives and automate tasks for us. However, there could be a big downfall to all this interconnectivity. All of these things that are connected to your network create new, two-way roads for attackers to travel. If they can attack your things, which connect to your corporate network, they can attack your network. And if they can attack your network, they can attack the things connected to it: computers, other devices, equipment and appliances.
As people continue to network new things, criminals will continue to exploit the latest innovations. There were 13 billion Internet-connected devices in 2013, according to Cisco. According to IDC, the installed base of the IoT will be approximately 212 billion things by 2020. These will include phones, chips, sensors, implants and devices that haven’t yet been innovated. This year alone, IDC expects shipments of smart-connected devices (PCs, tablets and smartphones) to surpass 1.7 billion units worldwide (IDC, “Rethinking IT Asset Management in the Age of the Internet of Things,” Robert Young, March 2014). These particular endpoint devices (PCs, tablets and smartphones ) are where we start when securing our network. As the sea of things grows over time, we will also need to develop security measures to protect them. However, many of these current things, such as insulin pumps that can be remotely controlled, aren’t built with software that can be updated. The devices can’t be secured and can be hacked. Over time, we can only hope that smart devices can be created to be secured, but for now, let’s look at the devices you can secure and how you can secure them.
Protecting Your Endpoints
Currently, the most popular endpoint devices are company workstations, laptops and mobile devices. Just as you protect your network with firewalls, intrusion prevention systems/intrusion detection systems and host prevention systems, you should protect your endpoints. You can’t rely on anti-virus software because its failure rate is too high. The Ponemon 2013 State of the Endpoint study revealed that only 12 percent of those surveyed said current anti-virus/anti-malware technology is very effective in protecting their IT endpoints from today’s malware risk. To protect your endpoints, you need to have network visibility. You should know what all the devices are on your network, who is using them and what they’re being used for to ensure nothing sinister is going on in your network. While that would be impossible to do manually, especially with wireless networks and mobile devices, there are all-in-one endpoint management systems that can do that and more. These systems can be deployed either on your own premises or in the cloud. They can update the latest patches for your operating system and for third-party applications, either all at once or by groups of all the computers in your network. These management systems can detect and keep track of all endpoints—including printers, routers, switches, laptops and servers—in your network, and keep track of your software licensing compliance. There are also mobile management systems that allow your users to use their own devices (laptops, tablets, smartphones) to conduct business by putting all their business emails and documents in a separate, isolated container on the device so your IT team controls your proprietary data. If the mobile device is attacked, the containerized portion with your company data in it is protected. Without proper credentials, no person or malware can access that portion of the device. If the device is lost or stolen, or if the employee is terminated, IT can wipe the containerized portion.
One Strike and You’re Out
While it might seem like these endpoint management systems hit the ball out of the park, totally securing your devices, they don’t because they can’t address the three problems that stem from your employees unwittingly downloading malware onto their computers. When your company puts layers upon layers of security around its network and on its endpoints, breaking into your network is tough. So, attackers find an easier way to get inside—by going through your employees. This normally comes about via phishing emails. The attacker creates a legitimate-looking email, which appears to come from a trusted source such as a prospect or company affiliate, containing a malicious link or attachment. Once the employee clicks on either the email or the link, malware is surreptitiously downloaded onto the computer, giving the attacker entry into the corporate network.
Another way attackers strike is by tricking employees into downloading malware by infecting websites the targeted company’s employees are likely to visit. These watering hole attacks work like this: An attacker targeting a specific company might attack the website of an organization the company’s employees are likely to visit, perhaps an industry association. The attacker injects an exploit into the industry association’s website, so if there are any vulnerabilities on your employee’s computer, it becomes infected. The term watering hole refers to a place where employees gather.
Attackers also place malicious links into popular websites they’ve broken into or onto fake websites they’ve created that simulate the look of popular websites. So, even if all software on a computer is totally patched, that endpoint will still become infected once a user clicks on the malicious link in the infected website. When just one device in your network becomes infected, it makes it easy for an attacker to scan your network, infect other devices and exfiltrate your data. That is why it’s absolutely necessary for organizations to be able to detect a threat the moment it hits an endpoint or the moment that infected endpoint is connected to the corporate network.
The Kill Chain
The kill chain is the method attackers use to break into a network and steal information. It’s a chain of events that attackers take to break into your network. Once the malware enters your network, it initiates an outbound connection to the attackers, who then access the login credentials of the user on the infected computer. They expand their access of your network, accumulating login credentials of other users as they go, exfiltrating data, and covering their tracks so they can proceed undetected by security devices. In “The State of Advanced Persistent Threats” (2013), the Ponemon Institute reports on average attacks went undiscovered for 225 days—a delay respondents attributed to a lack of sufficient endpoint security tools. The later you stop the attackers, the more data they can access and the more timely and costly it becomes to get them out of your network. That’s why you need to be able to detect immediately anomalous activity on your endpoints.
As soon as an attacker has broken into an endpoint, you need a cleanup hitter to knock them out of your network. This prevents the attacker from moving laterally and accessing your data. An advanced endpoint threat detection service can continuously scan endpoints, including servers, for indicators of threat actor activity. When indicators are discovered, an advanced analyst team can investigate the events to determine if a breach has occurred. If one has, analysts can provide a detailed report of the activity taking place and remediation recommendations. Since the analysts can see exactly what type of activity has taken place and precisely where the malware is located, the malware can often be totally removed so there’s no need to wipe the device. If you need help with your remediation, the security service team can do it for you remotely.
As your IoT grows, more and more of your network will be at risk, and more endpoints will need to be protected. If you don’t protect your IoT, attackers could strike your company O-U-T.