After Mirai shook the rafters of cybersecurity in 2016, IT security professionals (rightfully) expect that connected devices will be a major security headache in 2017 – but still struggle to get a grasp on how to account for, track and monitor those devices, a report from Pwnie Express found.
Results of “The Internet of Evil Things,” Pwnie Express's third annual report on wired, wireless, Bluetooth, IoT, and BYOD challenges faced by IT security, showed that the Mirai attacks marked a shift in perception of Internet of Things (IoT) device threats for 84 percent of the 868 IT professionals surveyed and 92 percent feel certain that connected devices will present a major security issue in 2017.
“Mirai woke them up that an attack can come from some other place,” Paul Paget, Pwnie Express CEO, told SC Media.
Still, 66 percent of the respondents haven't checked employees' devices for Mirai or simply don't know how to check them.
And only 23 percent of those who said they monitored connected devices also said they checked them for malicious infections over the course of the past year.
What was once a straightforward mission for IT security – understanding assets and what they're connected to, as well as keeping them partitioned from the outside world – has grown more complex with the rise of connected devices brought into the workplace not only by employees but also other outsiders, like business partners and visitors.
And top management, by and large, has broken from its previously more conservative stand on personal devices, now pressuring security pros to allow and support them in the enterprise's milieu to increase productivity and allow a more fluid flow of business environment.
“Business leadership is saying to IT security, ‘My people can bring in whatever they want, they're strapped to technology, deal with it,'” Paget told SC, noting that the research also showed that the number of professionals saying they have BYOD policies in place has declined to 55 percent from 63 percent.
“They're not used to dealing with such a diversity of devices,” Paget explained.
The lower number, too, might be attributable to respondents being much more honest about where they stand, according to Jayson Street, infosec ranger at Pwnie Express. “They're admitting ‘we've got a problem with this' instead of trying to make themselves look better,” he said.
Managing connected devices is even more complicated today because IT security must get a handle on devices connecting outside of their corporate networks through public Wi-Fi networks. “They might have said it's outside of my responsibility, but it's not,” said Paget.
A building lobby's coffee shop that employees frequent and whose Wi-Fi they might use to access corporate assets represents an attack vector for those with malicious intent. “They can compromise the coffee shop network and use employees as an attack vector,” said Street.
“It's easier to break in that way than through the corporate network,” said Paget. “This is a new style of phishing – you don't have to get them to click on a link, just connecting to Wi-Fi is enough.”
To improve their security postures as IoT thrives and expands, organizations must broaden their mission to include devices on and outside of the their corporate networks and apply established controls. “It all comes back to 20 critical security controls, five that matter, with the first being identify your assets on both the public and private networks,” said Paget. “That's part of your asset base.”