Akamai: IoT the new 'shadow IT' of the enterprise

Internet-connected devices pose a similar threat to the enterprise as shadow IT, with Akamai noting many devices are used on the company network without security in place.
Written by Asha Barbaschow, Contributor

Internet-connected devices are already everywhere in the consumer space, but as they make their way into the organisation, they pose a threat to the security of enterprise networks.

According to Akamai global director of security strategy Patrick Sullivan, just like shadow IT, network administrators aren't necessarily aware of the presence of IoT devices.

"I think it's an issue for everybody," he told ZDNet. "I mean, it's a very active attack surface and I think if you look around the world, there are various governments that are starting to consider whether they need to weigh in with tighter regulation of the IoT devices."

With a well-known smartphone, for example an iPhone or Samsung device, those responsible for IT within an organisation are familiar with the security the devices are wrapped in and the patching protocols many also have; however, with an IoT device, "secure as standard" isn't always the way.

"It's a tricky situation because the consumer is not in the market only buying devices that have excellent internet security posture -- it's really not a consideration from the buyer -- which diminishes the incentive for the manufacturer to have a very high level of security," Sullivan explained.

This isn't helped by the fact there isn't a lot of regulation around developing an IoT device.

See also: Your forgotten IoT gadgets will leave a disastrous, toxic legacy

"The IoT devices, they ship insecure by default -- not to paint vendors with a broad brush and put everybody in that bucket -- but many of the devices have no mechanism to auto-update with new patches, so they sort of just accumulate technical debt throughout their lifespan," he added.

"There's very few people going in updating the firmware in their refrigerator on a regular basis to patch; I think some of the regulatory movements that we've seen do call for the minimal set of standards including the ability for the device to auto update, so at least you know you can push patches that have a chance of being updated from time to time."

Credential stuffing

Despite security vendors pushing the idea of "password hygiene" at length, another big problem facing the enterprise is the result of users still having the same username and password across multiple accounts, Sullivan told ZDNet.

With a distributed denial of service (DDoS) attack the attackers typically want to make as much noise on the network as possible, but with credential stuffing it is the opposite, as they want to be stealthy.

"So they all basically distribute attacks to a target through a massive set of proxy servers ... they're trying to circumvent controls looking at a high request rate from a given IP address and they have commandeered so many IoT devices that they can distribute those requests so far and wide," he explained.

"We see about 10 times more IPs participating in credential stuffing attacks than we do DDoS."

As aggregate lists of user credentials can be easily accessed, Sullivan said it's an easy assumption that due to poor end-user hygiene, the repeated use of the same credentials from site to site is going to prove successful.

"It's something that we see frequently and although in some places you can introduce technologies like multifactor authentication, you can look at captchas, but both of those technologies have a pretty significant penalty in terms of user experience, such as if you're in the commerce business where you are competing with one-click to purchase, it becomes about limiting as much user friction as you can," Sullivan explained.

While credential stuffing techniques aren't new, Sullivan said they are becoming more predominant in other verticals than the typical finance or ecommerce spaces, such as government websites.

"If you think about the level of data that you could amass there on a government site -- that's certainly lucrative -- you can resell that; there are some pretty direct forms of fraud that one could pull off depending on the particular government agency," he said. "You know some elements of the public sector set themselves up for tremendous amount of fraud."

Related Coverage

What is the IoT? Everything you need to know about the Internet of Things right now

The Internet of Things explained: What the IoT is, and where it's going next.

The Internet of Things? It's really a giant robot and we don't know how to fix it

Computer security is now everything security - but protocol isn't keeping up with the risks, warns security expert.

Internet of Things security woes: Can smarter consumers save the IoT from disaster?

If consumers become aware of the risks of insecure IoT devices, they could prevent cyberattacks.

17 ways the Internet of Things is changing the world (TechRepublic)

IoT is having a profound impact on transportation, sustainability, manufacturing, city services and more. Here are 17 video interviews with tech leaders.

IoT in the real world: Five top use cases (TechRepublic)

The number and variety of enterprise IoT initiatives are growing, but Gartner says most businesses are still holding back. Here are some compelling use cases and what companies can take away from them.

Editorial standards