2016 marks the first record-breaking one-terabit-per-second Distributed Denial of Service (DDoS) attack, which targeted French internet hosting company OVH. The source of this massive data stream was a botnet made up of connected CCTV cameras and personal video recorders, dubbed Mirai, which hackers built to overload OVH’s servers with traffic.
The Internet of Things (IoT) has expanded the network of connected devices common in homes today, including everything from PCs, smart phones and tablets to refrigerators, cars and TVs. As government agencies transition to the cloud, IoT devices will continue to proliferate, potentially moving deeper into the infrastructure. The security risk this trend presents in the public sector is clear: If a bad actor can hack a connected device and take control of it to attack other platforms, then a department’s cloud network offers a wide-open door to sensitive data.
So, how do agencies avoid the next data breach stemming from the Internet of Things?
Step 1: Accept IoT
Government can’t just ignore IoT’s growing popularity. Not long ago, agencies resisted bring-your-own-device policies. Now, many employees bring Samsung, BlackBerry, Apple, and Google phones to work every day. Attempting to fight the flood of IoT devices entering the workplace won’t get government very far, but by researching and building comprehensive cybersecurity strategies around cloud and device connections agencies can more effectively mitigate the risks those devices bring with them. This kind of proactive approach empowers agencies to adopt IoT with confidence – and on their own terms.
Step 2: Understand the Vulnerabilities
Most IoT manufacturers do not take the proper time to integrate security into their appliances, or they do not issue software patches and updates, often in an effort to minimize their costs. Either way, connected appliances pose a heightened security risk.
For example, many of the wearable devices that can enter an agency office easily use Bluetooth, a short-range network connection notorious for its hacking opportunities. Other IoT devices, such as a probe used to monitor water quality for the EPA, or a refrigerator holding blood at a VA hospital, are less mobile but equally difficult to supervise.
Step 3: Build the Larger Picture
Considering how many different devices already exist across the network, bringing IoT devices into a cloud-based network will only compound the number of connections from desktops and smart devices. An agency can’t just implement a singular firewall to protect its entire infrastructure anymore. In this growing pool, visibility becomes critical. Only by fully mapping the computing and network environment can administrators identify where potential threats could emerge.
Step 4: Control Access
The way forward lies in the application layer where IoT devices “live.” From this level, bad actors infect the software platforms hosted in these devices and gain access to the network layer. Implementing processes that limit what resources and servers IoT devices can connect to will safeguard data, while controlling applications’ functions will limit any espionage attempts. Access control will mitigate much of the potential damage of IoT.
In the case of OVH, both manufacturer and consumer failed to properly limit access and permissions on their IoT products. Government CIOs and administrators can’t expect the same level of forgiveness as civilian users, nor should they wait until the next DDoS attack to regulate their network.
The IoT tsunami has already started to make landfall, but, if agencies can get their arms around this trend now, defense-in-depth strategies will empower them to protect their core missions and the public they serve.
For more strategies on how agencies can fortify their cybersecurity measures, see Tom Ruff’s article in our Innovation in Government Report: “Fight Back More Effectively.”