Story image

Information security professionals may not be prepared for IoT after all

15 Mar 16

Risk and concern surrounding the Internet of Things (IoT) continues to grow, while related security resources and visibility into connected devices stagnates, according to new research sponsored by Pwnie Express, the wireless threat detection solutions provider.

As a result, even with awareness of vulnerable devices at an all time high, information security professionals are not ready or equipped to address the growing threat of the IoT, the research suggests.

According to the report, today, 86% of information security professionals are concerned about connected device threats, with 50% either ‘very’ or ‘extremely concerned’.

Furthermore, the majority (67%) are more worried about connected device threats than they were a year ago, with first- hand experience driving heightened concern - 55% have witnessed an attack via wireless device, and 38% have witnessed an attack via mobile device.

Due to the proliferation of wireless and mobile devices and the prevalence of BYOD and BYOx environments, IT security professionals are lacking visibility, as 37% can’t even tell how many devices are connected to their networks. Additionally, 40% note their organisation is ‘unprepared’ or ‘not prepared at all’ to find connected device threats.

On top of this:

  • Most security professionals are not ready to monitor or detect less-common RF and off-network IoT devices.
  • 89% cannot see Bluetooth devices, and 87% cannot monitor 4G/LTE devices in real time.
  • 71% cannot monitor off-network WiFi devices in real time.
  • 56% cannot monitor on-network IoT devices in real time.

Subsequently, the vast majority (71%) is concerned with devices in a default, misconfigured, or vulnerable state, including devices with default passwords and ‘wide-open’ settings. Additionally, more than half (51%) are concerned about unauthorised mobile devices, access points and wearables. Corporate sponsored BYOD is also a source of concern (36%), as are personal 4G/LTE hotspots and broadband USB dongles (24%).

As part of this research initiative, Pwnie Labs, the research and development division at Pwnie Express, aggregated and analysed more than seven million wireless and wired devices detected by the SaaS-based Pwn Pulse platform to identify the following year-over-year trends when comparing 2014 and 2015 data:

  • Coolpad devices, at 30%, have overtaken Samsung as maker of devices accounting for the most prevalent vulnerable mobile hotspots.
  • HP Print, at 56%, has overtaken Xfinitywifi as the most common default open wireless network.
  • HP printers are the most prevalent wireless devices deployed in a highly vulnerable default configuration at 56%; while exposing confidential print jobs and compromising corporate client devices, these printers can be also used as a backdoor into private corporate networks.
  • Wireless Access Points (APs) remain vulnerable: 35% of APs within the last six to 12 month show weak or no encryption.

“As the IoT universe continues to grow, the corresponding attack surface for malicious actors is growing, giving them an easy and unsecured way into your organisation’s most sensitive information - and this has understandably put information security professionals on edge,” says Paul Paget, Pwnie Express CEO.

“Yet, despite ever-growing concerns around the proliferation of connected devices on and around their networks, more than one-third of organisations admit to having no BYOD policy in place at all and only 24% actually have a budget in place for BYOD security technology.

“This tells us that security professionals desperately need help educating the corner office and those in charge of the purse strings about the new evils and dangers their organisations face in our ever-evolving IoT world," Paget says.

Ransomware infection? Here’s how you control the damage
Ransomware has evolved to be more sophisticated and targeted, and remains a threat to businesses of all sizes.
Exclusive: Fileless malware driving uptake of behavioural analytics
Fileless malware often finds its way into organisations via web browsers (or in combination with other vectors such as infected USB drives).
'DerpTrolling’ faces jail time for Sony DoS attacks
A United States federal court has charged a 23-year-old man for the hacks on Sony Online Entertainment and other major companies back in 2014.
It's time to rethink your back-up and recovery strategy
"It is becoming apparent that legacy approaches to backup and recovery may no longer be sufficient for most organisations."
Dropbox strengthens security with raft of new partnerships
Integrations will keep customer content protected and secure with tools for controlling identity access, governing data, and managing devices.
Companies swamped by critical vulnerabilities – Tenable
Research has found enterprises identify 870 unique vulnerabilities on internal systems every day, on average, with over 100 of them being critical.
Don’t let your network outgrow your IT team
"IT professionals spend less than half of their time at work optimising their networks and beefing it up against future security threats."
Three access management trends making waves in APAC
Consumer identity proofing, authentication, and authorisation will top the $37 billion value mark by 2023.