The litany of hacks against Internet of Things (IoT) connected devices is getting longer by the CPU cycle. If you’re not already worried because of the Mirai Worm, check out this simulated ransomware-based attack that enables hackers to manipulate key programmable logic controllers (PLCs) in a water treatment plant. “Pay up or we add toxic levels of chlorine to your city’s water.”
The massive and ever-growing threat from attack vectors like these make me ask myself (and my clients) why are all these IoT systems exposed to the Internet in the first place?
Answer: We live in the age of the remote employee and the distributed organization, and it just makes sense (in terms of: cost, simplicity, flexibility, etc.) to manage these systems remotely.
So how do we live in a “remote” age safely?
I’ve heard of dubious workarounds for this issue, notably Check Point’s advisory recommending that companies buy its security solutions so they can use them to block crawlers from the Shodan search engine. Shodan is designed to find Internet-connected devices. Researchers and security professionals frequently use it to discover vulnerable systems & networks to reveal data breaches.
Yes, hackers use Shodan (and similar tools) all day long to choose their victims. But blocking Shodan crawlers is like putting your head in the sand, “If I can’t see you then you can’t see me.” Shodan itself isn’t the problem. Our problem is an abundance of IoT connected devices.
So if you’re a security professional, hold up your right hand and repeat after me: “I, <state your name>, promise not to give any device a public IP address unless it absolutely needs it!”
Now you may be thinking, “But Andrew, how will I manage my remote systems without putting them on the Internet?” Simple. Use a VPN. (And configure it correctly.) Make those systems part of your internal network, and further limit access to that network segment to the specific individuals who require access for their current work—and only from their workstations, not from their homes (unless your water purification plant engineer works from home, which I highly doubt).
You may be thinking, “aren’t VPN endpoints expensive to purchase and maintain?” In the end cost is relative. Which costs more: a few VPN endpoints, or picking up the pieces following a data breach or ransomware attack (which currently, on average, will set you back about $4 million)?
Taking all possible systems and connected devices off the Internet is an essential step in battening down your network and minimizing your attack surface. It won’t make you invulnerable, but it’s a big step in the right direction.
To find out how you can identify and mitigate IoT-related risks in your environment quickly and cost-effectively, contact Pivot Point Security.