The global Internet of Things (IoT) market is projected to be worth $418 billion in 2021, up nearly four times its market value in 2017. It is also expected to become a $1.567 trillion market by 2025. Tens of billions of IoT devices are already being used worldwide, and more of them are expected to be used in various new cases as the technology matures and more innovations emerge.

While this explosive growth in the IoT market is regarded as a boon to many, a somewhat adverse impact is hitting one industry: cybersecurity. The exponential increase in the number of IoT devices used in businesses and homes is posing serious threats to the security of networks and IT assets.

A Deloitte (News - Alert) Perspectives piece highlights the state of cyber risk in an Internet of Things world, characterizing it as something that involves more data and opportunities as well as more risks. “The IoT offers new ways for businesses to create value, however, the constant connectivity and data sharing also creates new opportunities for information to be compromised,” the piece notes.

The need for more robust cybersecurity

With significantly more devices in an organization’s network, it is inevitable for cyber threat exposure to increase. Hackers find more security vulnerabilities and ways to bypass security measures as businesses use more web-connected cameras, fire alarms, locks, lighting, sensors, and other smart devices.

Each new device is equivalent to a new computer or smartphone added to the network, which can then be hacked by cybercriminals to find their way into other devices or siphon sensitive data exchanged between the servers and these devices. The difference is that IoT devices tend to be neglected or not given the same attention when it comes to security.

While most security controls include features or functions that cover attacks aimed at IoT devices, most users take IoT security for granted. This is why cybersecurity experts advise organizations to exercise more prudence and undertake thorough security validation. It is also recommended to use advanced automated penetration testing solutions such as breach and attack simulation (BAS).

Conventional security solutions are likely inadequate in protecting systems or networks with a multitude of IoT devices connected. A study published in the Journal of Applied Sciences presents the challenges encountered in IoT security and privacy. Some of the most notable of them are as follows:

• Many IoT devices are designed for deployment on a massive scale. Keeping track of all of them can be tedious, time-consuming, and expensive.
• IoT devices can be similar or redundant. This similarity means that a vulnerability found in one can also be found in many other devices, creating many opportunities for bad actors.
• IoT devices are generally simple gadgets, appliances, or accessories. However, they are designed to communicate with a wide variety of devices, from servers to smartphones and computers. This interconnection is something cybercriminals can also exploit as they attempt to sniff sensitive data or use the interconnections to infect systems with malicious software via IoT.
• IoT devices are also not designed to be complexly secure. “When it comes to authentication, for instance, IoT faces various vulnerabilities, which remain one of the most significant issues in the provision of security in many applications. The authentication used is limited in how it protects only one threat, such as Denial of Service (DoS) or replay attacks,” the study reads. Some IoT devices may even have embedded passwords while others facilitate remote access and improper device authentication.

The OWASP IoT Project also released its own guidance on IoT security risks. These are similar to what is enumerated above albeit listing specific security problems such as the following: the use of hardcoded passwords, insecure networks services, and ecosystem interfaces, insecure or outdated components, the lack of a secure device update mechanism, insecure default settings, and the lack of device management functions.

Why continuous security testing is a must

Periodic or regular security testing, however, is often not enough to address the changing risks that come with the use of IoT. Adding new sensors or the replacement of smart lighting in a building, for example, can create new vulnerabilities not addressed in a recent security validation routine.

In addition to the critical concerns enumerated above, it is worth noting that IoT devices are prone to eavesdropping or man-in-the-middle (MITM) attacks. “One of the most prevalent attacks in the IoT is the man in the middle, where the third-party hijack communication channel is aimed at spoofing identities of the palpable nodes which are involved in network exchange,” notes the Journal of Applied Sciences published study referenced earlier. MITM effectively makes a server recognize transactions as valid events since the adversary does not have to identify the supposed victim. It only needs to simulate the identities of vulnerable nodes.

Continuous security testing allows organizations to have a real-time glimpse of all activities in the network and detect security controls that do not appear to be serving their intended purpose. Advanced continuous security validation platforms, in particular, are equipped with numerous functions to examine a wide range of threats.

A dependable continuous security testing platform can have threat detection validation, SIEM/SOC validation, attack surface management, security control optimization, full kill chain APT (News - Alert) simulation, phishing awareness functions, as well as purple team automation and cloud and on-prem infrastructure configuration. These create a complex multilayer system of checking the effectiveness of existing cyber defenses to ensure that IoT additions or changes are monitored to make sure that they do not become tools for cyber attackers.

Moreover, many continuous security validation solutions integrate the MITRE ATT&CK framework to take advantage of the latest threat intelligence and insights on adversary tactics and techniques observed in the real world. This framework enhances security testing simulations by aligning them with the actual methods and strategies used by cybercriminals.

The United States passed the Internet of Things Cybersecurity Improvement Act of 2020 to set guidelines in security networks and systems that involve IoT devices. The seven-page law presents various requirements, standards, and processes designed to eliminate or at least mitigate the risks that come with the integration of IoT into systems and networks. However, it fails to emphasize the importance of security validation.

No matter how good an organization’s security controls are, it is wishful thinking to expect them to work flawlessly. There will always be defects, issues, or vulnerabilities that can be exploited by bad actors anytime. Without continuous testing, organizations are allowing cybercriminals opportunities to take advantage of security weaknesses and slowly figure their way into defeating cyber protections.

In conclusion

IoT use is inherently risky given their lack of sophisticated cybersecurity features and the natural tendency to overlook them given their mundaneness. People do not bother updating or security testing their web-connected security cameras or fire alarms, for example. They only care about whether they work or not. Continuous security testing, especially through a reputable comprehensive cybersecurity platform, ascertains that security vulnerabilities are addressed, especially in oft-neglected areas.

The web application firewall, endpoint security tools, antivirus, and other security solutions of an organization may not provide enough protection or may require reconfiguration and tweaks to address new threats that come when new IoT devices are installed or when old ones are replaced. Through continuous security validation, organizations are compelled to examine the security status of their IoT devices and address threats accordingly.