A joint report from Ponemon Institute, IBM Security and Arxan Technologies suggests there are worrying contradictions present in IoT app security for application development.
Ponemon Institute, IBM Security and Arxan Technologies’ “2017 Study on Mobile and Internet of Things Application Security” has highlighted some interesting and contradictory trends in the minds of Internet of Things (IoT) developers.
The report found that widespread concern exists when it comes to the security of mobile and IoT applications. In the face of large-scale DDoS attacks and data breaches throughout 2016, it’s not hard to see why. However, not only are organizations ill-prepared for the risks they pose, many are not even making security a priority.
The report, issued by the Ponemon Institute, surveyed 593 IT and IT security professionals working across mobile and IoT app security in varying organizations.
One key takeaway, according to Mandeep Khera, CMO of Arxan, was simply that “the numbers don’t add up”. Asked about data breaches and resulting security measures, 60 percent of respondents confirmed that their organization has already experienced a data breach caused by an insecure mobile app, while over half are very concerned about the likelihood of an attack. However, 44 percent are taking no steps at all to protect their applications.
“The laissez-faire attitude toward the security of mobile and IoT applications needs to come to an end and organizations must start emphasizing security in the development process in order to prevent a detrimental attack,” said Khera. “One breach can set a company back dramatically in brand damage, financial loss and recovery costs. You have to think of the old idiom – penny wise, pound foolish.”
Why the lack of urgency?
Eighty-four percent of respondents reported that IoT apps are more difficult to secure compared to mobile apps, and fifty-five percent claimed that there is a lack of quality assurance and testing procedures for IoT apps.
Despite the obvious risks that come with IoT applications and organizations’ awareness of them, there appears to be a lack of urgency to address the threat posed. In the report, just thirty-two percent of respondents claimed their organization saw securing mobile apps as an urgent priority, while only forty-two percent of respondents said that securing IoT apps is urgent.
Dr. Larry Ponemon, Chair and Founder of Ponemon Institute, argued that “factors revealed in this study may help to explain the lack of urgency”.
“Respondents voiced minimal budget allocation, and those responsible for stopping attacks are not in the security function, but rather other lines of business.”
“Without proper budget or oversight, these threats aren’t being taken seriously and it should come as no surprise for mobile and IoT applications to be the culprit of major data breaches to come.”
Is there a lack of resources for adequate IoT app security?
Only thirty percent of respondents to the Ponemon Institute, IBM Security and Arxan Technologies report agreed that their organization allocates enough resources to protect mobile apps and IoT devices.
It seems that many take a more reactive approach, with respondents saying that more resources would be put into security in the case of a serious hacking incident (54 percent), if new regulations were issued (46 percent) or if there was media coverage of a serious hacking incident affecting another company (25 percent).
“Mobile and IoT applications continue to be released at a rapid pace to meet user demand. If security isn’t designed into these apps there could be significant negative impacts,” said Diana Kelley, global executive security advisor, IBM Security. “Organizations are at risk and cybercriminals know where the soft spots are. Raising awareness of application security in the enterprise is a critically important first step toward a more secure future for businesses and consumers.”
Internet of Business’ Fred Roberts caught up with Mark Noctor, VP EMEA at Arxan Technologies to find out how much responsibility lies with developers and manufacturers, and how trust in IoT apps can rebuilt.
“The burden of securing IoT devices absolutely lies with the developers and manufacturers producing them,” Noctor said. “Security defences such as application hardening and runtime application self-protection should be included in the software development process as standard practice, and all devices need to be thoroughly tested before being released. These basic measures are currently being skipped in the rush to market in many cases.
“For example, the Mirai botnet attacks, which have been some of the most significant DDoS attacks in history, were made possible due to a large number of IoT devices missing basic security precautions. The botnet matched potential targets against a database of the most common factory default usernames and passwords, and was able to infect millions of devices with ease because so many manufacturers lazily defaulted to “Admin/password”, while end users remained ignorant of the risk.”
FR: So why is there a lack of urgency to secure IoT apps?
“The race to capture market share has definitely been a major factor in manufacturers overlooking security, and unfortunately for the most part end users are unconcerned about the potential risks until an incident occurs.
“It’s possible the continued lack of urgency for security was due to the fact the most serious threats were all theoretical. Although the security and academic community continued to find flaws that could have had horrendous consequences – from hijacking connected cars to overloading pacemakers – thankfully they were restricted to controlled tests.”
FR: With a lack of trust in IoT security are end-to-end solutions really adequate to convince businesses that they will be safe?
“The short answer is no, conventional end-to-end security measures are almost certainly not enough to convince businesses (or indeed consumers) that they will be safe. Mirai and other such target-specific worms are developed through a persistent process of reverse engineering and deeply understanding the inner workings of particular IoT enabled devices. A typical end-to-end approach will only go so far in protecting against these kinds of persistent, highly engineering-savvy attacks.
“Businesses and consumers must be confident that IoT enabled devices cannot be understood, tampered with or modified either through a direct one-to-one attack or through a sophisticated one-to-many malware threat.”