Verizon: Internet of Things Hacks Pose Little Risk – For Now

Verizon said that threats from Internet of Things technologies were more theory than practice in 2014, but that 2015 could see IoT devices play a role in breaches.
Verizon said that threats from Internet of Things technologies were more theory than practice in 2014, but that 2015 could see IoT devices play a role in breaches.

In-brief: Verizon said in its latest Data Breach Investigations Report that threats from Internet of Things technologies were more theory than practice in 2014, but that 2015 could see IoT devices play a role in breaches.

Verizon’s Data Breach Investigations Report weighed in on security threats from the Internet of Things this week, concluding that too little data existed to make any conclusion about risk from the IoT.

Compared to bread and butter online threats like phishing e-mails, web application attacks and malicious software infections, threats from connected devices are an asterisk – almost entirely “proof of concept,” Verizon said in its annual threat report. “Despite the rhetoric in the news about Internet of Things (IoT) device security, no widely known IoT device breaches have hit the popular media,” the company said.

[Read more Security Ledger coverage of Internet of Things security.]

But that didn’t stop the company from predicting that connected devices may soon play a part in malicious attacks online. Verizon predicted that a breach of an organization’s network that originated with an IoT device compromise was possible in the next 12 months. Similarly, Verizon said tools like the Shodan search engine, a kind of Google for Internet connected hardware – will increasingly be used to exploit vulnerabilities and weaknesses in IoT device security.

VerizonDBIR-Cover
Click to view the Verizon Data Breach Investigations Report.

 

Companies worried about IoT risk should do threat modeling and attack exercises to identify likely adversaries and motives and then what data those adversaries would seek.

IoT devices need to be identified and categorized from “Level 3” devices – simple sensors that relay data, to Level 2 devices (like IoT hubs) that relay data and Level 1 devices that are “fully equipped internetworked devices capable of computation and sophisticated communication and application delivery.”

Sensitive data should not reside in Level 3 IoT devices – at least in any great quantity. But such devices are vulnerable and could be used as stepping-stones to Level 1, systems like cloud-based servers, that do hold significant data. “With no incident data to drive decision-making, understanding the typical methods used by your adversary and how they map to the data flow in your ioT implementation is a good start,” Verizon wrote.

3 Comments

  1. Excellent site you have here but I was wondering if you knew of any community
    forums that cover the same topics talked about in this article?
    I’d really like to be a part of community where I can get responses
    from other knowledgeable individuals that
    share the same interest. If you have any recommendations, please
    let me know. Thanks!

  2. Pingback: Internet of Things Needs Future Proofing | The Security Ledger

  3. Pingback: ATL’s Bastille Promotes its IoT Threat Detection Tech | The Biz Beat Blog