In-brief: Verizon said in its latest Data Breach Investigations Report that threats from Internet of Things technologies were more theory than practice in 2014, but that 2015 could see IoT devices play a role in breaches.
Verizon’s Data Breach Investigations Report weighed in on security threats from the Internet of Things this week, concluding that too little data existed to make any conclusion about risk from the IoT.
Compared to bread and butter online threats like phishing e-mails, web application attacks and malicious software infections, threats from connected devices are an asterisk – almost entirely “proof of concept,” Verizon said in its annual threat report. “Despite the rhetoric in the news about Internet of Things (IoT) device security, no widely known IoT device breaches have hit the popular media,” the company said.
[Read more Security Ledger coverage of Internet of Things security.]
But that didn’t stop the company from predicting that connected devices may soon play a part in malicious attacks online. Verizon predicted that a breach of an organization’s network that originated with an IoT device compromise was possible in the next 12 months. Similarly, Verizon said tools like the Shodan search engine, a kind of Google for Internet connected hardware – will increasingly be used to exploit vulnerabilities and weaknesses in IoT device security.
Companies worried about IoT risk should do threat modeling and attack exercises to identify likely adversaries and motives and then what data those adversaries would seek.
IoT devices need to be identified and categorized from “Level 3” devices – simple sensors that relay data, to Level 2 devices (like IoT hubs) that relay data and Level 1 devices that are “fully equipped internetworked devices capable of computation and sophisticated communication and application delivery.”
Sensitive data should not reside in Level 3 IoT devices – at least in any great quantity. But such devices are vulnerable and could be used as stepping-stones to Level 1, systems like cloud-based servers, that do hold significant data. “With no incident data to drive decision-making, understanding the typical methods used by your adversary and how they map to the data flow in your ioT implementation is a good start,” Verizon wrote.