TMCnet News
Study: Critical Infrastructure Executives Complacent about Internet of Things SecurityTripwire (News - Alert), Inc., a leading global provider of advanced threat, security and compliance solutions, today announced the results of an extensive study conducted by Atomik Research on the security of the "Enterprise of Things" in critical infrastructure industries. The study examined the impact that emerging security threats connected with the Internet of Things (IoT) have on enterprise security. Study respondents included 404 IT professionals and 302 executives from retail, energy and financial services organizations in the U.S. and U.K. The study whitepaper is available here: http://www.tripwire.com/register/enterprise-of-things-report/. Key findings included:
Research firm IDC (News - Alert) anticipates there will be over 28 billion IoT devices installed by 2020 (http://tripwire.me/1tHxq1n), up from an estimated nine billion today. These devices are expected to deliver an overall global economic value add of $1.9 trillion, of which 80 percent will be derived from services. While the IoT marketplace is lucrative, new devices will open additional attack vectors for enterprise networks. Respondents were asked how prepared their businesses are for meeting the new and rising challenges of IoT growth in the workplace. The Tripwire study did not include smartphones, tablets or laptops because the security risks associated with these devices are relatively well understood. Instead, the study focused on IoT device categories already on enterprise networks as well as new device types that are at an inflection point in market adoption. Devices categories included:
Quotes: "The reason many enterprises are relatively 'unconcerned' about the security of IoT devices is because they misunderstand the risk. They may believe they have 'solved' the security problem, when they have not. Alternatively, they may believe that there is no security problem when there is. Frequently, organizations believe that they have nothing of value that would interest an attacker - this is rarely true. For attackers there is always something to be gained, and they're not always looking for data that has financial value. From the theft of information or services that can be used to add a veneer of legitimacy to phishing campaigns or user credentials that can be used to gain access to a connection point from which to attack corporate partners, there is always something of value." Chris Conacher, security development manager at Tripwire "The study highlights the need to be able to build security and identity into the Internet of Things in a standard way so that IoT devices can be on-boarded into whichever environment is required - home, business or national critical infrastructure. A plethora of cloud-based solutions unique to each manufacturer, supplier or even device will lead to chaos and insecurity." Paul Simmonds, CEO, Global Identity Foundation "It's far more likely that employees will be infected with malware outside the enterprise. Employees routinely use smartphones and tablets on untrusted networks. They download suspicious apps from third-party app stores and then connect to the corporate network over a cheap home router with dubious firmware. The risk of cross contamination from home networks can be very serious unless security controls are enforced. Unfortunately, most people assume that virtual private networks (VPNs) solve all remote connection problems, but this is just not true. "While consumer-focused IoT devices present minimal direct risk to the enterprise, many of them connect back to a vendor's infrastructure via the Internet to store user data. Successful attacks against these backend infrastructures provide attackers with user credentials and other information that could enable them to gain a foothold into an employee's home network. From there it's entirely possible for an attacker to install keyloggers or other malware designed to steal the user credentials necessary to log into corporate networks. In general, people seriously underestimate how easily attackers can move around inside networks once they gain access." Craig Young, security researcher for Tripwire Additional resources: "Risks of The Internet of Things" video: http://tripwire.me/1zrQr0L. "3 Internet of Things Security Nuances You May Not Have Considered" blogpost: http://tripwire.me/1ACkVZ5. "The Internet of Things: Hack My Nannycam" blogpost: http://tripwire.me/1BudHfl. About Tripwire, Inc. Tripwire is a leading provider of advanced threat security and compliance solutions that enable enterprises, service providers and government agencies to confidently detect, prevent and respond to cybersecurity threats. Tripwire solutions are based on high-fidelity asset visibility and deep endpoint intelligence combined with business-context and enable security automation through enterprise integration. Tripwire's portfolio of enterprise-class security solutions includes configuration and policy management, file integrity monitoring, vulnerability management and log intelligence. Photos/Multimedia Gallery Available: http://www.businesswire.com/multimedia/home/20150126005287/en/ |