Dark Cubed Calls IoT Security an Underappreciated Menace
At first glance, the report on Internet of Things security(link is external) that vendor Dark Cubed published in March isn’t cause for concern among channel pros, as the massive and worsening vulnerabilities it describes are limited largely to consumer devices. Unfortunately, that false sense of safety dissipates quickly when you speak with Dark Cubed CEO Vince Crisler.
“I don’t think there’s a big difference between consumer devices and the IoT that businesses use,” said Crisler this week at the ChannelPro SMB Forum event in Raleigh, N.C. “The same cameras, the same light bulbs are showing up in SMBs.”
That’s a problem, too, because many of the devices Dark Cubed tested while preparing its report failed basic security checks and had significant vulnerabilities. Most of the cameras, meanwhile, did little to prevent “man in the middle” attackers from viewing private images in transit across the internet. Threat actors are likely to find additional unintended uses for IoT hardware in the future as well, according to Crisler.
“When IoT devices can easily be exploited because they have bad security in place, they can be used as tools for all sorts of things, and that’s actively being exploited today,” he says.
The distributed denial of service attack that slowed VoIP services last week is a case in point. Though the role Internet of Things devices played in that incident is unknown at present, Crisler expects to see IoT-powered DDoS campaigns in the future.
“If you think about the effect that ransomware has had on the market, where if you lock people out of their files they pay, what happens if you’ve locked people out of their infrastructure?” he asks.
Crisler worries as well about the national security implications of American businesses deploying gadgets made by Chinese companies operating in an economy closely controlled by the Chinese government. Every device Dark Cubed evaluated when preparing its March IoT security report, in fact, had “strong supply chain and business connections to China,” the company says, and most had at least one network connection to a server in China.
“On one hand, you feel xenophobic for saying China’s bad and you don’t want to be that person, but there’s a strategic national effort going on there to get access to information, so we’ve got to be thinking about these things,” he says.
Unfortunately, Crisler adds, not enough people inside or outside of government are talking about IoT security danger. “I think it’s underappreciated,” he says. Worse yet, there are no easy answers to the problem.
“You can’t give this to NIST and say, ‘publish another framework.’ That’s not going to fix this,” Crisler says. “It’s part Department of Commerce, part Department of Treasury, part Homeland Security.”
In the meantime, channel pros can mitigate the dangers posed by consumer IoT gear, Crisler continues, by discouraging clients from using it. “Your starting point should be don’t do it,” he says. “Being able to turn on a light with your phone is not worth the risk that it produces.”
To protect customers who deploy vulnerable devices anyway, he adds, focus on the basics. “You have to have a strong foundation before you can address the more complex issues,” he says. “Then at least you’re raising the floor of what it takes to be successful from an attacker standpoint.”
As a barebones starting point, for example, every MSP should deploy endpoint protection software, patch devices regularly, minimize access rights, and confine IoT hardware to segregated networks. Network monitoring and log inspection are helpful too. “If you’re monitoring the network and then stuff starts to go out to China, you’re going to see it,” Crisler says. “In some ways, I kind of correlate that to a smoke detector.”
Above all else, Crisler stresses, implement two-factor authentication everywhere. “If you don’t have two-factor authentication in place, nothing else matters,” he says. According to Microsoft(link is external), in fact, multifactor authentication can block over 99.9% of account compromise attacks.
Of course, IoT security is far from the biggest threat businesses face today, and Crisler expects the more familiar ones to remain the most menacing. “I think we’re going to continue to see the same trends, with phishing attacks and ransomware and business email compromise that just continue to be successful,” he says.
That should translate into further sales momentum for security vendors like Dark Cubed, which has been growing 15% month over month to date this year. “I think MSPs are waking up to the need to deliver security to their customers,” Crisler says. “They’re looking to the market for affordable, effective solutions, and they’re finding us.”
To take advantage of that demand, Dark Cubed is currently finalizing a funding round expected to be worth $5 to $10 million. The company will use that money to fuel sales and marketing, add integrations with DNS filtering and endpoint protection products, and accelerate development of new cloud and mobile security features. That will be a move past Dark Cubed’s original focus on affordable, automated firewalls, according to Crisler, that reflects the evolving nature of security threats and solutions in an increasingly post-perimeter era.
“Frankly, I think in five to 10 years, the idea of a firewall is gone. There may not be firewalls anymore at all, and so we can’t be focused purely on firewalls,” he says.
The ChannelPro Network is dedicated to providing IT consultants, VARs and MSPs who serve the IT needs of small and midsize businesses (SMBs) the news, insights, resources and best practices necessary to help them grow their businesses and better serve their SMB customers.