BYOD is a thing of the past - or is it? Gary Cox, Technology Director for Infoblox in Western Europe, explores the troubling rise of Shadow IoT and how to detect it.
With the Internet of Things (IoT) continuing to grow, and with employees connecting an increasing number of consumer devices to enterprise networks, IT teams find themselves faced with greater complexity and more security issues than ever before.
The scale of the problem was illustrated by the findings of a recent Infoblox survey which revealed that, while three quarters of businesses have over 1,000 approved devices such as PCs and company mobiles connected to their networks, more than a third reported at least 5,000 non-approved devices, including personal phones, laptops and e-readers.
Typically offering very poor security, many of these consumer devices provide cybercriminals with an ideal point of entry to an organisation's network, and this represents a very real threat to that organisation and its business.
Many businesses reported having a significant number of non-business IoT devices such as fitness trackers, Smart TVs, and digital assistants connected to their enterprise network. There are, however, a number of tools readily available that will enable cybercriminals to exploit the control of such devices. In 2017, for example, details of a CIA tool dubbed 'Weeping Angel' were published on WikiLeaks. Here, it was explained how the tool was used by agents to transform Samsung smart TVs into live microphones.
The identification of vulnerable devices can be achieved with worrying ease. A basic search on sites such as Shodan, a search engine for internet-connected devices, can deliver a wealth of information, including details of a device's banner, along with their open ports including HTTP, SSH, FTP and SNMP.
It's worth noting that the site is not, in itself, illegal. The details it provides, however, could be used by even the lowest level criminals as a means of identifying potentially vulnerable devices connected to corporate networks.
Social media is being used as a means of spreading malware. Cybercriminals often exploit the fact that users tend to lower their guard on social networks, making them more likely to click on links with unknown sources. The fact that around two in five employees claimed to have accessed social media on their personal devices while connected to their organisation's network should therefore ring alarm bells.
Equally worrying is the claim by a quarter of the survey's respondents that they downloaded apps to their personal device while connected to an enterprise network. This is especially concerning when you consider that even apps from legitimate download sites have been found to contain malware.
Introducing a security policy for connected devices is a sensible first step in managing the threat that they pose although, according to the report, employees can't necessarily be relied upon to follow it. IT administrators should therefore be able to enforce policy, restrict access to certain sites and types of content, and review non-compliant activity throughout the organisation.
By providing unified visibility into all devices, IP Address Management (IPAM) will enable IT admins to manage those devices more effectively, and DNS-based security will provide essential context and visibility, alerting IT admins of any network anomalies, and enabling them to identify and block malicious activity more quickly.
What's more, with threat intelligence data integrated into their DNS management, security teams will be able to monitor and prevent access to Newly Observed Domains, the creation of which tends to indicate that an attack is forthcoming.
A plethora of connected devices, approved and otherwise, have made Shadow IoT a reality, and one which affords cybercriminals the opportunity to exploit vulnerable devices. To minimise this risk, enterprise teams must discover and identify what's lurking on their networks, and take the steps necessary to protect it from external threats.