The Internet of Things (IoT) has become a very popular topic with the media and bloggers over the past few years. When it’s discussed, it’s typically in association with consumer devices, an aspect I never gave much thought to until last week when I was discussing the 2013 Target breach, and this post from Brian Krebs in particular, with a colleague.
My colleague mentioned that the Target breach was an IoT attack, yet we never really have heard people talk about it in those terms. Even Krebs didn’t in his post. Usually when the IoT term is dropped, it’s mentioned in conjunction with consumer technologies like car systems, Facebook, baby monitors and home security systems, or even more forward thinking aspirational technologies like smart refrigerators or smart coffee pots. After all, even I subliminally used only consumer examples in my post last month.
As I went back to that Target breach and thought about it further, I realized it indeed was an IoT attack. Consider it at a high level: Target hackers got access by targeting a “thing” that was connected to a network. That “thing” allowed them to access other “things” residing on that network.
To get more descriptive on the Target breach, Krebs provides a nice overview.
"In December 2013, just days after a data breach exposed 40 million customer debit and credit card accounts, Target Corp. hired security experts at Verizon to probe its networks for weaknesses. The results of that confidential investigation — until now never publicly revealed — confirm what pundits have long suspected: Once inside Target’s network, there was nothing to stop attackers from gaining direct and complete access to every single cash register in every Target store."
His post goes on to mention that Verizon’s experts were able to gain access to cash registers at a store check-out lane after attacking a deli market scale at another Target location. IoT is all about connected systems and those systems were certainly connected.
Were any of those “things” connected to the internet (I can already sense people saying IoT is about internet connectedness)? It’s hard to say and that all depends on if these “things” that were attacked were living within a physical IT infrastructure or a cloud-based one.
Either way, the predecessor to IoT was the traditional physical stack infrastructure of enterprises. Once an attack infiltrated one program on a network or a specific server, it was very easy to expand beyond that program to whatever else was accessible via that network or server.
With so many enterprises now using cloud-based applications, enterprise environments are now most certainly IoT environments, and we must start factoring that into how we’re securing them.
Consider what Verizon did to Target again. Deli scales and cash registers can both be considered things, and from an access management perspective, enterprise things typically share a common “admin-lite account”. The thinking is that because they aren’t people, and don’t have the attributes and free will of rogue employees, they’re more secure. While that could be true in theory, Verizon showed that isn’t the case in execution. The connectivity associated with that common account makes them just as vulnerable, if not more so, as people.
The bottom line is that in an IoT world, you need to secure your “things” just as much as you secure your people.
You may be interested in this related post:
The Internet of Insecurity: How IoT Puts Information at Risk