Internet connected cameras used in cyber attack – are IoT assets on your radar yet?
The BBC reports that hackers used Internet connected devices last week to perform a denial of service attack that brought down Internet brands Twitter, Spotify and Reddit.
Forbes suggests that the main culprit appears to be unsecured cameras. Security blogger Brian Krebs suggests that some vulnerabilities in smart devices, such as default passwords, are not able to be edited by the owner:
“As I noted earlier this month in Europe to Push New Security Rules Amid IoT Mess, many of these products from XiongMai and other makers of inexpensive, mass-produced IoT devices are essentially unfixable, and will remain a danger to others unless and until they are completely unplugged from the Internet.” ~ Brian Krebs
When devices are Internet connected, they can be overridden by hackers and coordinated as a Botnet to perform a specific task.
Looks like Mirai botnet of hacked cameras at least partly responsible for epic outages today https://t.co/EAtHc91iQX
— Thomas Brewster (@iblametom) October 21, 2016
Asset Managers need to be aware of new smart devices on their network. Whilst plenty of the hype around Internet of Things and internet connected devices has focused on consumer devices and the fridge that knows to restock it’s own beer, there is enormous potential for IoT in the enterprise space. With Manufacturing, Healthcare providers, insurance and banking being key vertical markets:
World is going #digital! By 2020, the value of the Internet of Things {#IoT} projected to $1.9 trillion. @Gartner_inc industry forecasts: pic.twitter.com/930Pm02hav
— Mike Quindazzi (@MikeQuindazzi) October 16, 2016
This is a great opportunity for IT Asset Managers to a) bring additional value to their security team and b) extend the reach of their ITAM practice beyond IT department devices. Unchecked devices could present a significant weakness in enterprise defences as Ben Evans eloquently suggests via his newsletter:
“A chunk of the Internet went down this week, effectively, because someone did a massive distributed denial-of-service attack using a botnet of millions of hacked IoT devices – mostly, it seems, IP webcams from one Chinese company that don’t have decent security. This is an interesting structural problem – the devices once sold are either impossible or unlikely to be patched, the users probably don’t even know that their device is hacked, and the manufacturer has no motivation and probably few of the necessary skills to do anything about it. A network designed to withstand nuclear attack, brought down by toasters.”
Not only are more and more devices being internet connected, they are also collecting data and talking to each other:
#IoT http://t.co/eDj6omkuTn Vala Afshar on Twitter: "The 'Internet of Things' marketing: pic.twitter.com/QMbhmLNDiH"
— Internet of Things (@TheIoT) March 26, 2015
Are IoT devices on your radar yet? Please let me know in the comments section.
If smart devices are connected on your network they are probably already in your discovery data – but are you managing them? As we discussed in a recent podcast, devices are becoming smarter and SNMP might be able to provide a wealth of details in terms of the identity of devices – but are you managing it yet? Please share your views.
Related articles:
About Martin Thompson
Martin is also the founder of ITAM Forum, a not-for-profit trade body for the ITAM industry created to raise the profile of the profession and bring an organisational certification to market. On a voluntary basis Martin is a contributor to ISO WG21 which develops the ITAM International Standard ISO/IEC 19770.
He is also the author of the book "Practical ITAM - The essential guide for IT Asset Managers", a book that describes how to get started and make a difference in the field of IT Asset Management. In addition, Martin developed the PITAM training course and certification.
Prior to founding the ITAM Review in 2008 Martin worked for Centennial Software (Ivanti), Silicon Graphics, CA Technologies and Computer 2000 (Tech Data).
When not working, Martin likes to Ski, Hike, Motorbike and spend time with his young family.
Connect with Martin on LinkedIn.