One day in October, many popular websites including Twitter, Netflix, Spotify, Airbnb, Reddit, Etsy, SoundCloud and The New York Times were inaccessible due to a distributed denial-of-service (DDoS) attack.
The culprit? Tens of thousands of Internet of Things (IoT) devices. Hackers compromised cameras, coffee makers, web cams, DVRs, surveillance cameras, routers, anything they could get their hands on. Without their owners knowing anything about it, these devices unleashed a flood of overwhelming internet traffic that took down all these sites.
“The latest DDoS attack used connected devices such as smart refrigerators and thermostats,” said Frank Scavo, president of Computer Economics. “They flooded the network with a large number of transactions until these websites were unable to process legitimate transactions.”
So what should small businesses be doing about this new avenue of attack?
The Internet of Things
Lately, the IoT has been the subject of tremendous hype. Analyst firm Gartner predicts that by 2020, more than twenty billion devices will be connected to networks worldwide. This includes smart traffic lights that don’t leave you idling at a junction for several minutes when nothing is coming the other way, coffee makers networked to the front door or your phone so coffee is waiting upon your arrival, and fridges that send reminders to order grocery items in short supply.
The problem is that every wireless sensor and each networked device represents a possible entry point for an attacker. And if they can be used to bring down the web, how difficult do you think it will be to use them to infiltrate a small business network?
Unfortunately, most of these IoT devices contain little in the way of security features. If they do, device owners often neglect those security features. As a result, factory-set password such as 0000 or 1234 are never changed, so millions of devices end up with the same easy-to-hack password.
A security conference called Black Hat Europe recently discovered a vulnerability related to IoT devices and Android phones. Belkin home automation devices, such as electrical switches, cameras, light bulbs, coffee makers and air purifiers, could be compromised and used to gain entry to the phones that their owners had used to program and control the devices.
“Hackers can use the IoT to hop right into the network,” said Chris Coleman, senior engineering manager at SMB ransomware prevention vendor VEEDog. “Anyone using such devices in a small business could find their servers suddenly overcome by malware.”
He said wireless Internet routers in small businesses are particularly prone to attack if not well protected. But there are known cases of business cell phones being hacked via the office coffee maker.
“There are a lot of devices out there that have intelligent connections to the Internet that represent a real and persistent danger to your business,” said Coleman.
What To Do About IoT Security Threats
What do the experts suggest on how to keep your small business from falling victim to an IoT attack?
Keep the software for your computer network, servers, laptops, desktops, network switches, wireless routers and any other devices up-to-date, particularly with the latest manufacturer security updates.
Never use default passwords for devices once they are set up. Change them and keep them secure. This means no sloppy use of your name or “password” or other easy-to-hack terms. Remove Post-It notes stuck on screens or cubicles that serve as password reminders.
Wireless devices use certain security methods. Some are easier to hack than others. Coleman said to disable Wi-Fi Protected Setup (WPS) and only use Wi-Fi Protected Access 2 (WPA2).
Ensure that your employees take safe practices home with them, especially if they conduct business on from home. The bad guys like to comprise home computers, find those that connect to business networks, capture passwords and from there quietly move into the business where they can wreak havoc.
“Hackers rely on ignorance of security and can take advantage of your business by running across nuggets (for them) in home computers,” said Coleman.
Invest in a backup strategy and make sure there is a secure knowledge base about how to restore your data in the event of disaster. If you lose a computer or a server that is critical to your company survival, with proper backup and restore procedures you can turn potential disaster into merely a nuisance.
If you have an IT person in your business, hold him or her responsible for security and encourage that person to gain expertise -- fast. If you have enough personnel, appoint someone solely to look after IT security and justify it by the fact that the bad guys are hitting everyone right now. If you don’t have enough staff or in-house expertise, hire outside help to be responsible.
“There are network consulting firms, security consulting firms and managed service providers that will do an assessment of your network, your website and any connected devices that you have,” said Scavo. “They can help you decide what security measures you need to take to protect yourself.”
If your website lies at the heart of your business and makes you a lot of money, it may require protection against a distributed denial of service attack. Attackers can target you directly, or you may just get caught in the crossfire when they go after your Internet Service Provider (ISP).
“If you want to be sure your website cannot be shut down by a DDoS attack, your website needs to be hosted by special internet hosting companies that specialize in DDoS mitigation,” said Stu Sjouwerman, CEO of security awareness training vendor KnowBe4.
There is an industry devoted to DDoS mitigation, but these services are not cheap. If this option isn’t affordable, call your ISP and ask how they mitigate agains DDoS attacks. Find one that has the best measures in place.
Small businesses have been complaining about being forced to buy the latest credit card payment machines which include a chip reader. But the Smart Card Alliance believes this is a good way to add protection against hackers. Every IoT device serves as a potential entry point onto the network – and that includes credit card machines and bank accounts.
“These recent DDoS attacks, one of which was more than four times the size of the largest reported attack last year, are comparable to the massive payments data breaches that have been in the spotlight over the past few years,” said Randy Vanderhoof, executive director of the Smart Card Alliance. “This is just the latest example of the IoT vulnerabilities that exist today, demonstrating why the security of things is so critical.”
Amir Sharif, co-founder and vice president of business, Aporeto, pointed out that even a business with all of the above safeguards in place and top of the line security practices in force could still be victimized due to one insecure IoT point. An innocuous device sitting in the corner could be used to unlock doors remotely. A local gang member could then go in to install more sophisticated snooping devices that map keyboard strokes, record voice data, steal video streams off of computers and so forth. Then, bank accounts could be silently siphoned off over a long period with what would appear to be a series of legitimate transactions.
“Only buy IoT devices if there is a good business need for them,” said Sharif. “Buy devices from well-known entities that could stand behind their product and provide some indemnity.”
As surveillance technology has gotten cheap, many small businesses have deployed it. Increasingly, these devices are Internet enabled. That poses a threat.
“Internet enabled devices like video cameras should be kept on a separate network from the primary business network dealing with customer financial transactions, like point of sale systems, intellectual property or any form of regulated data,” said Chris Morales, head of security analytics at Vectra Networks.
Mat Gangwer, chief technology officer at Rook Security takes this a step further. He advises small businesses to keep all IoT devices off the corporate network except those that are absolutely needed.
“it doesn't require a huge IT budget to make organization a little more secure and make it less of an easy target,” said Gangwer. “It’s really the easy targets most hackers are going after.”
Of course, the usual security technologies, such anti-virus, anti-malware, firewalls, encryption and especially, these days, ransomware protection, should be in place. VEEDog, for example, is designed for the SMB marketplace. It monitors the network data flow, flags suspicious files and analyzes them for destructive or malicious intention, disables any file verified to be malware, and packages the file for submission as malware to the customer’s anti-virus provider so that they distribute a fix to all their customers to neutralize infection in the future.
Most breaches, hacks and ransomware happen because someone in the organization was sloppy and uneducated. And it’s shocking how easy it is to trick employees. One company hired an outside organization to pretend to be their IT department. It sent employees emails asking for their user passwords. 113 of 200 sent their passwords immediately.
Opening email attachments or links from unknown or unverified senders is a poor practice, yet it continues to be an easy way to gain unauthorized entry. Employees need training on how to spot suspicious emails.
How can you tell if the email is NOT from your bank or from the IT department? One trick is to hover the cursor over the name shown as the sender. Hackers can make something look like a legitimate email yet when you put the cursor there, the actual email address shows up as nasty.hacker@AOL.com.
Given that IT expects ransomware to increase, security awareness training is a sensible defense. It explains to employees the various tricks of the hacking and ransomware trade so they don’t get caught. Trainers can send out spoof email links to see how many are clicked on. They track the percentage, and the training should reduce the number over time.
Yes, our highly connected world can seem much too scary to life in. One in 40 small businesses is at risk of being a victim of a cyberattack, according to a Symantec report. This can translate directly into dollars lost. The National Small Business Association found that on average cyberattacks cost small businesses more than $7,000.
“Businesses that have connected devices, such as smart factory or warehouse equipment, need to be aware of the threat and ensure that their devices have security protection,” said Scavo. “Otherwise criminals could take down your factory or your warehouse and demand ransom to get it back up and running.”
Such possibilities could cause some businesspeople to yearn for the good old days when they never had to worry about hackers and malware. But it’s really not much different than moving from a tiny farming community where no one locks their doors into an inner city downtown – you have to change your habits and take sensible precautions.
“There is relatively small risk if the business takes some basic steps to protect its network,” said Mike Bergman, senior director of technology and standards at the Consumer Technology Association.
Mankind successfully made the transition from a low-crime agrarian existence into a high-crime urban world. The same can be done with the IoT. Just as the benefits of industry were found to outweigh the many drawbacks, so it is with a more connected world.
“At the end of the day and after some analysis, it will become evident that the benefits that IoT provide to the SMB owner outweigh their costs,” said Sharif. “Life will go on.”