IoT-based DDOS attacks have CIOs petrified
John Bruno, CIO of multinational services conglomerate Aon, tells CIO.com that DDOS attacks are among his top cybersecurity concerns because the company's website supports seven million participants accessing information about healthcare and benefit plans from its website. "The way in which a broad-based denial of service attack can put you to your knees and then negatively impact the ecosystem that's attached to you -- that worries me and keeps me up at night," Bruno says.
DDOS attacks are scary but they aren’t the only attacks that should concern CIOs. Kamkar, who also tested IP-connected security systems, smart HVACs and energy meters, VoIP phones, video conferencing systems and connected printers, smart fridges and smart light bulbs says that the devices pose significant risks because security is not built into them and their firmware is frequently outdated.
Cybercriminals can use jamming or spoofing techniques to hijack smart enterprise security systems, enabling them to control motion sensors, locks and surveillance equipment. Perpetrators can exploit configuration settings in VoIP phones to evade authentication, enabling them to eavesdrop on and record calls. Hackers can crack HVAC systems and energy meters to force server rooms to overheat, causing physical damage. The dangers are real and can be exploited for "something big," says Abreu.
Abreu says CIOs can better prepare for DDOS and other attacks by being aware of what devices are phoning into their networks and creating policies limiting what connected devices can do. But with CIOs' attention focused on so many other issues -- digital transformations, analytics, budget planning, -- they often don't check what has access to their networks. When ForeScout’s software analyzes enterprise customers’ networks it typically detects between 30 to 40 percent more devices than CIOs said they would find.
Gartner predicts that 20 billion connected devices will be deployed by 2020, with as many as a third of these sitting unknowingly vulnerable on enterprise, government, healthcare and industrial networks worldwide. IDC predicts that two-thirds of enterprises will experience IoT security breaches by 2018.
Sign up for Computerworld eNewsletters.