The IoT presents unique security challenges that enterprises will have to solve fast.
IT personnel often spot a data breach when they notice anomalous behavior in network traffic. But what happened at a casino gives a new meaning to noticing something fishy.
Cyber criminals breached a North American casino’s network by hacking into—get this—a high-tech fish tank. According to a report by Darktrace, the casino installed a smart fish tank with advanced sensors that regulate the tank temperature, salinity, and feeding schedule.
The sensors were connected to a PC, which served as the hackers’ avenue to infiltrate the network, find vulnerabilities, and move laterally throughout the system. Before the breach was discovered, the perpetrators transferred 10 GB of data to a device in Finland.
“By targeting an unconventional device that had recently been introduced into the network, the attack managed to evade the casino’s traditional security tools,” the report stated.
The incident shows the creativity hackers are using to compromise networks, and further highlights the cybersecurity issues with IoT devices. Though any enterprise is susceptible to such an attack—fancy fish tank or not—casinos tend to be a big catch for cyber criminals.
Casinos Gambling on Security
Casinos are ripe targets for cyber criminals because they carry the same risks and payoff appeal for hackers as banks and retail establishments—they manage a lot of money, have countless public-facing ATMs and card readers, and plenty of consumers.
While the house usually wins on the casino floor, the hackers win on the network. The Hard Rock Casino experienced two data breaches last year when hackers gained access to the POS network and also installed malware. Other casino compromises include:
• Hackers crippled the IT network of Sands casinos, including the Venetian and Palazzo in Las Vegas, wiping hard drives clean in an attack linked to the Iranian government
• Criminals compromised the network and file storage server at FireKeepers casino in Michigan, exposing 85,000 credit and debit cards
• A cyber attack shut down four Atlantic City online gaming sites for 30 minutes during the Fourth of July 2015 in a ransomware attack
Regulators are trying to implement measures to dissuade attacks. Nevada requires casino CTOs to be licensed and oversee cybersecurity measures, while New Jersey requires casinos to have an information security officer on staff.
Still, as casinos vie to implement new technologies—such as IoT—to keep pace with competitors, engage customers, and provide new ways to gamble, they must deal with the network vulnerabilities.
Growth of IoT Causes Growing Concerns
The Internet of Things involves the growing prevalence of smart devices with the ability to automatically transfer data over a network. It includes everything from thermostats to smart watches and, yes, fish tanks.
According to Gartner, there will be 20.4 billion connected IoT devices by 2020, with 5.5 million new things connected each day. The report also predicts more than half of new business processes and systems will include an IoT component.
The proliferation of these devices means more avenues for hackers to gain access to critical networks and data. Oftentimes security issues aren't considered in product design of IoT devices, or they have old operating systems. Organizations also have poor visibility of these networks.
Securing the IoT
Standard security measures and anti-virus solutions won’t be enough to secure IoT devices, as recent hacks proved. IT security personnel will have to implement other key methods.
Segmentation is one method. IoT devices should be segmented into their own network to restrict access. Effective segmentation helps prevent attacks from propagating throughout a network even if one system has been compromised.
However, segmentation isn’t foolproof. According to a Forrester report, network segmentation is only moderately successful. The casino fish tank was on an individual VPN to isolate the data, but hackers still maneuvered throughout the system. The network still must be monitored for anomalous traffic.
Some other security measures needed to secure IoT devices include:
Network security: IoT networks are more complex than traditional networks because there is a wider range of communication protocols and device capabilities. Still, you need to implement standard security features such as antivirus, firewalls and intrusion prevention systems.
Authentication: IoT devices will need authentication methods such as multi-factor authentication, static passwords, and digital certificates to authenticate users. Devices will also need to authenticate other devices, as communication between devices is a key element of IoT.
Encryption: Device data will need to be encrypted at rest and in transit to prevent unauthorized access to devices and data. However, standard encryption tools and processes won’t work because IoT devices don’t have the memory to handle them. IT staff needs to use lightweight encryption tools because of device constraints.
Security analytics: In addition to monitoring, IoT data must be analyzed not only to spot anomalous activity, but to predict threats. This will require the use of emerging solutions, such as machine learning and artificial intelligence.
API security: Securing interfaces will protect the exchange of data between devices and back-end systems, ensuring only authorized developers, devices, and apps communicate with APIs.
The IoT presents unique security challenges that enterprises will have to solve fast. IoT device adoption is rapidly expanding for consumers and businesses, like casinos. The fish tank takedown is a reminder that all devices are susceptible and hackers will find your vulnerabilities. The best move is to stay on top of the best practices to mitigate risk and damage.