Internet of Things security concerns prompt boost in IoT services

Symantec pushes more IoT services

Symantec Corp. announced Tuesday it is expanding its security catalog to help enterprises handle the growing number of Internet-connected devices that will inevitably infiltrate the enterprise, likely sooner rather than later. Gartner, Inc. has predicted 4.9 billion "Things" will be used this year, a number the analyst believes will reach 25 billion by 2020.

While Symantec's broader Unified Security Strategy already includes measures for authentication, device security, analytics and management to help prevent devices from being "hacked, tracked and hijacked," Symantec is specifically growing its IoT services portfolio. Symantec claimed it is already securing more than one billion IoT devices, and the addition of three new security measures -- and strong partnerships -- will help it secure even more smart cars, meters, critical infrastructure and a plethora of consumer devices that make up the majority of the IoT device pie.

ATM manufacturer Wincor Nixdorf was named an early adopter of Symantec Embedded Critical System Protection, which aims to protect IoT devices from zero-day and other attacks by locking down software embedded in the device.

Symantec is also working on creating "Roots of Trust" by combining Symantec's Certificate Authority with its partners' embeddable engines, including Texas Instruments Inc. and wolfSSL Inc., to safely authenticate and encrypt data.

To ensure code operating on IoT devices is authorized, Symantec announced it will provide code signing certificates and a cloud-based signing service that specifically works with IoT code formats.

Symantec also announced it would be working on additional IoT security technology, including a centrally managed IoT portal, and analytics to help detect anomalies and attacks on IoT networks.

Internet of Things security concerns increase

Symantec's announcement comes a week after the release of a report highlighting the potential risks of Internet of Things devices.

Sponsored by NexusGuard Ltd. and conducted by Cybersecurity Ventures, the report exposing Internet of Things security concerns noted that by the end of 2017, more than 20% of businesses will adopt IoT services to secure Internet-connected devices and networks, which will in turn advance the multi-trillion dollar IoT marketplace and boost security research and spending through 2025.

The report also discussed how Internet of Things devices can be used as "jumping off" points for distributed denial-of-service attacks.

"These vulnerable devices can be exploited during software updates and used as launch proxy servers that can be targeted at businesses which are then extorted for monetary payment," the report reads. "DDoS is often the 'first wave' of attacks by hackers who use them to distract companies from other more targeted intrusions."

Researchers also found attacks exploiting the Simple Service Discovery Protocol (SSDP) were growing in prevalence, mirroring the separate findings of NSFOCUS and Akamai Technologies, Inc. earlier this year.

SSDP attacks are especially dangerous, the report said, because they "utilize vulnerable routers to amplify an attack beyond normal bandwidth limits while also hiding the original source of the attack."

Nexusguard researchers reported seeing 64 Internet-based scans for SSDP services over the past week, as well as tracking 559 exploited "edge devices" -- devices that act as an entry point to a network.

"IoT brings new layers of interconnectedness and efficiency, but the risks cannot be ignored," Steve Morgan, CEO at Cybersecurity Ventures, said. "We created this report to highlight the risks that come with IoT devices, as more and more of these objects are connected to the Internet and built with exploitable lightweight security."

The report also touched on other Internet of Things security concerns, including a lack of security, waning manufacturer support and ending patching cycles.

"By its very design, the Internet of Things is built with lightweight security," Terrence Gareau, chief scientist at Nexusguard, said. "These devices rely heavily on shared libraries and rapid development cycle. Because of their constraints, many IoT devices have limited options for firmware upgrades and other risk management features. The fact that they are also "always-online" makes them highly susceptible to intrusion and attacks."

In other news

• In a report released Wednesday by cloud security vendor CloudLock, Inc., researchers determined that 1% of employees are responsible for 75% of the security risks encountered in the cloud. For the "Q3 Cloud Cybersecurity Report," CloudLock CyberLab researchers analyzed the behavior of 10 million users, 1 billion files and more than 91,000 unique applications to reach the conclusion that a few users are responsible for the majority of the risk. Researchers found the top 1% of users -- which includes privileged users, software architects and machine-based identities that perform automated functions -- are responsible for 57% of file ownership, 81% of the files shared, 73% of excessively exposed files and 62% of app installations. Research also showed that 70% of external file sharing occurs with non-corporate email addresses, which is difficult for security teams to control -- and secure. "Cyberattacks today target your users, not your infrastructure. As technology leaders wake up to this new reality, security programs are being reengineered to focus where true risk lies: with the user," Gil Zimmermann, CloudLock CEO and co-founder, said. "The best defense is to know what typical user behavior looks like and, more importantly, what it doesn't."
• Retailer Target Corp., which experienced one of the largest retail breaches in history in 2013, has agreed to pay as much as $67 million to settle claims over the breach. In an agreement with Visa Inc. on behalf of banks and other financial institutions, the money will cover costs incurred by both Visa and its issuers during the time of the breach. While neither Visa nor Target is putting a dollar value on the agreement, people familiar with the settlement said the amount paid by Target included the maximum amount laid out in Visa's regulations, according to the Wall Street Journal. Target is also reportedly considering reimbursing customers for fraud incurred after the breach if those customers agree not to sue the company. Target is reportedly working on a similar settlement with MasterCard, Inc. which comes nearly two months after Citigroup Inc., Capital One Financial Corp. and J.P. Morgan Chase & Co. rejected a $19 million settlement backed by MasterCard.
• While 45% of U.S. workers use Apple devices at work for work, the devices lack the proper security and can cause a major data security problem, according to a report commissioned by Centrify Corp. released Monday. The results of a poll of 2,249 employees found 63% of the Apple devices -- including Macs, iPads and iPhones -- are owned by the employee, yet only 51% are only secured by a password, 58% do not have software installed to enforce strong passwords, and only 17% have a company-supplied password manager installed. Fifty-six percent of respondents even admitted to sharing passwords with others. The survey, conducted by Dimensional Research, also concluded that only 28% of Apple devices have a corporate mobile device management installed, and only 35% of companies enforce the use of stored data encryption. "Centrify's Apple survey spotlights the massive exposures that occur when devices do not comply with standard corporate security policies," said Bill Man, chief product officer of Centrify. "In particular, customer data represents a huge liability. It's time for IT to take action."