OpenDNS's Andrew Hay sees danger confronting many enterprises in the era of the "Internet of Things" as Internet-ready consumer devices, not architected for security, find their way onto corporate or government networks, often unbeknown to administrators.
Consumer devices - such as Internet-ready smart-screen TVs, webcams, storage devices and thermostats, to name a few, don't provide the same level of security as devices built with the enterprise in mind. "We're treating [these consumer devices] as toys, gadgets or quick-wins to get something done on the cheap," he says in an interview with Information Security Media Group.
Often, Hay says, network administrators don't even know the consumer devices are on their networks. "They're not looking at their DNS logs; they're not looking at their firewall logs or their proxy logs ... because [managing these devices is] still not thought of as IT's responsibility. ... They're tools that are enabling people to work easier."
In the interview, Hay identifies three risks associated with Internet of Things devices connected to an enterprise network:
- Creating a new attack vector: Consumer-oriented IoT devices can be manipulated to give hackers new avenues to exploit enterprise networks remotely.
- "Keeping bad company": IoT devices could be linked to cloud services that could be controlled by untrustworthy hosts, which might not promptly patch vulnerabilities, resulting in compromised user credentials, exposure of personal information or revelation of trade secrets.
- Facilitating new vulnerabilities: Installing on enterprise networks minimally secured, relatively cheap consumer gadgets - so-called "toys in the attack" - creates new avenues for remote exploitation.
Hay was lead author of a study, The 2015 Internet of Things in the Enterprise Report, which OpenDNS published last month. Before joining OpenDNS, Hay served as director of applied security research and chief evangelist at CloudPassage and senior security analyst for 451 Research's enterprise security practice. In 2008, the SANS Institute designated Hay as a security thought leader.