Introduction
The IoT is an innovation which is used to connect computing devices, networks and sensors with physical things. It has the potential to send data or signals over a network without using any human to human communication by whcih it can be used in long-distance announcement (Abomhara, & Køien, 2014). As an external cyber security consultant, it is very significant to classify the risk factors related to the IoT which impact on the organizational performance. This investigation aims to identify the security risks and threats associated with the IoT technology and evaluate the prevention strategies and techniques for addressing such kinds of issues. It is observed that DDOS is a common security attack faced by the companies that impact on the overall performance of both IoT and IT infrastructure used by the companies. There are numerous sections will be included in this investigation for example, security issues related to the IoT and IT infrastructure, a real example of security attacks, vulnerability occurred in the companies and prevention techniques.
Security issues
IoT is one of the reliable technologies which are now used in business companies to enhance the productivity of their services. It is observed that IoT based devices do not require any connecting cables because it uses the fundamental concept of wireless networks by which users can exchange signals from one place to another. The major problem associated with the IoT based system is security where the hackers send the traffic signals and reduce the performance of networks that also impact on the organizational performance (Balte, Kashid, & Patil, 2015). It is analyzed that there are major two risk factors that increase the rate of security threats and risks in IoT enabled devices, for example, utilization of unauthorized networks and lack of proper communication between the developed networks and servers.
Most of the users use unauthentic systems while developing and implementing IoT based systems which are developed by the criminals for performing malicious related activities (Bekara, 2014). This section is divided into major two parts which involve security issues related to the IoT devices and security threats linked with IT infrastructures by which various kinds of attacks and threats can be analyzed.
Security issues linked with IoT
Security is a common problem associated with IoT and other technologies due to which many companies are suffering from the data breach-related problems and hacking. In last few years, the rate of cyber-attacks has increased by 67% in worldwide in which most of the criminals included a high level of programming codes and malicious software (Frustaci, Pace, Aloi, & Fortino, 2017). There are numerous types of security attacks occurred in the area of IoT that impact on the reliability of computing systems and private details. These security issues are described below:
IoT malware and ransomware
Malware is one of the biggest security attacks occurred in the area of IoT where hackers use third party protocols and unauthorized networks to access the private details of consumers. A recent study argued that IoT enabled devices are mainly connected with the other networks using wireless sensors and internet that support criminals for performing the hacking-related activities (Hossain, Fotouhi, & Hasan, 2015). Mainly, IoT connects to or more devices with each other using internet connections and hackers can attack on the communication channels and block the servers used by the consumers for which they use the key idea of malware attack. In a malware attack, criminals use malicious software for producing a huge amount of traffic signals and threats and transfer these unwanted signals to the IoT enabled devices for reducing the performance of the overall server.
Moreover, the ransomware is a part of the malware attack in which the hackers block communication channels and collect the private details of companies and users by using third-party applications. It is observed that the ransomware attack mainly focuses on limiting or disabling the computing devices used by the consumers and access their accounts without their permission. In the case of IoT devices, hackers perform ransomware attack with the help of malware activities and encrypt the personal data files of companies to earn some ransom for management.
As stated by Khan, & Salah, (2018) both malware and ransomware are very common security attacks linked with the internet of things due to which consumers may suffer from the data breach and hacking. It is determined that malware is a common attack which does not require any external system because it directly attacks the networks and servers linked with IoT enabled devices. Therefore, it is argued that more than 56% of companies are facing the issue of malware while using the key aspect of IoT technology and IoT enabled devices.
DDOS attack
The term DDOS is defined as a distributed denial-of-service which is a part of a security attack that mainly occurred in the area of IoT devices and networks. It is a very serious cyber-attack that has the potential to reduce the performance of developed servers and also impact on the overall effectiveness of the IoT devices (Mahmoud, Yousuf, Aloul, & Zualkernan, 2015). In the case of the DDOS attack, the hacker’s uses botnet process along with the malware software to generate a large number of traffic signals and fraud links that help them for performing data breach activities.
In the year 2016, DDOS attack on European web hosting organization OVH reduced the performance of developed systems and also impact on the IoT enabled devices. Therefore, it is stated that DOS and DDOS both are very common attacks that occurred in the area of IoT enabled devices. Mainly, criminals attack on the servers and networks included in the IoT devices that reduce the effectiveness of the systems and impact on the personal information of consumers. According to Razzaq, Gill, Qureshi, & Ullah, (2017) the term DDOS is a type of security breach that occurred in the IoT devices where the hackers send a large number of traffic signals and block the private details linked with the IoT enabled networks. Such kind of security attack is an attempt by its perpetrator to incapacitate a server that helps the criminals for reducing the efficiency of the user’s data.
Therefore, it is argued that both malware and DDOS both are very common security threats associated with the IoT enabled networks and device due to which companies can suffer from the data breach issue and also lose their private details. Because of these attacks, the effectiveness of IoT devices may be reduced and companies can face the issue of cyber-crimes.
Security issues linked with IT infrastructure
IT infrastructure is a system that controls and manage the entire process of information technology and also handles the overall communication process. IT infrastructure plays a major role in the companies where it helps managers for improving the overall performance of developed systems. IT infrastructure connects various computing devices and networks with each other which increase complexity and rate of cyber-attacks that directly impact on the productivity of the business sectors. There are various kinds of security issue occurred in the IT infrastructure and systems which are described below:
Unauthentic networks
It is observed that the utilization of IT systems are increasing rapidly and many customers use third party servers and unauthentic systems which are related to the IT infrastructure. Unauthentic networks are mainly developed and implemented by the hackers to perform the hacking-related activities and they also impact on the performance of IT infrastructure. It is observed that most of data breach attacks performed with the help of unauthorized networks because it helps criminals for collecting the private details of users like user ID, password and so on (Riahi, Challal, Natalizio, Chtourou, & Bouabdallah, 2013).
A recent study argued that IT infrastructure has the potential to maintain the entire IT system effectively but many employees in the companies use third-party servers along with the unauthorized networks that can increase cyber-attacks. Moreover, unauthentic servers are more capable to collect the private details of consumers and also reduce the effectiveness of IT infrastructure due to which companies can suffer from the data breach and other security issues.
Phishing attack
It is a part of the social engineering attack which is associated with the IT infrastructure and networks used by the companies. In such kind of attack, the criminals initially transfer the fraud links and signals with the help of social sites like mail and access the computing devices used by the consumers. It is one of the largest security attacks that occurred in the IT infrastructure and also impact on the efficiency of computing servers. According to Stojmenovic, Wen, Huang, & Luan, (2016) in the case of phishing attack hackers send unwanted links and employees access these links in their computing systems which directly affect the servers and networks linked with the computer system.
Moreover, these fraud links help the criminals for accessing and collecting the private information of consumers including data files, images, and mails and so on. Mainly there are major two kinds of phishing attacks occurred in IT infrastructure which includes spear phishing and e-mail phishing. In which spear phishing targets a particular part of the IT system which is used in the IT infrastructure and computing systems. Therefore, it is stated that the selected security issues are very common that occurred in the IT infrastructure and many companies were lost their data sets because of these attacks and threats.
Attack scenario
Mirai is the best example of a security issue that occurred in IoT enabled devices which are a part of the malware that converts networked devices into controlled bots and also help the criminals for performing DDOS activities. The first Mirai botnet was observed in the year 2016 by malwaremustdie which included most DDOS attacks to perform data breach activities and obtain the private information of consumers (Tankard, 2015). It is examined that on October 12, 2016, a DDOS attack left much of the internet inaccessible on the United State east coast and hackers included the malware and Mirai botnets for obtaining the sensible data of users. It is observed that in the year 2017 around 8.4 billion users were suffered from the data breach and also lost their private information including account information, address and so on.
At that time, criminals used the key idea behind the DDOS attack and Mirai took benefit of the IoT enabled devices to collect the reliable data of companies. It is argued that Mirai is an effective part of the malware attack that has the potential to enter into the main system and block the entire IT infrastructure used by the companies. Therefore, it is observed that Mirai is a very dangerous attack that has the capability to control and manage the connected devices and networks and more than 56% companies were suffered from the DDOS and malware attacks (Vashi, Ram, Modi, Verma, & Prakash, 2017).
A recent study determined that Mirai is able to hack more than thousands of insecure networks and devices and also produce DDOS activities in the workplace due to which companies may suffer from the privacy breach and threats. It is observed that there are two key components of Mirai such as virus and command and control centre. The virus includes the attack vectors that support criminals to block the networks linked with IoT devices. The CNC is a separate part of malware which monitors the compromised networks by sending the unwanted signals and links to the consumer’s networks (Yang, Wu, Yin, Li, & Zhao, 2017).
Figure: Mirai Attack
(Source: Zhang, et al., 2014)
Zhao, & Ge, (2013) argued that Mirai scans the internet connection used in the IoT enabled devices and transfer the traffic signals with the help of Botnet process and access the personal details like user ID and password. Moreover, many criminals use the key aspects of Mirai and DDOS for controlling and handling IoT enabled devices linked with home appliances.
From the previous investigation, it has found that in the year 2017 DDOS and Mirai attack affected thousands of user’s accounts and collected their private information without their permission. The hackers used the collected information for finding the effective votes in the US presidential election and numbers of companies were lost their productivity and data files because their employees accessed the unwanted servers and also used unauthorized networks which are developed by the criminals. The Mirai attack was powered by 24,000 less secure IoT networks and devices that were hacked by the criminals by using malware and botnet methods. Therefore, it is argued that the Mirai and DDOS both are common security attacks that have the ability to reduce the overall security of IoT devices and servers and also block the communication channels linked with the IT systems.
Vulnerabilities
As stated by CVE community, the term vulnerability is a security threat which provides software codes to the criminals to perform malicious activities. Such kind of process helps the criminals for accessing the personal details of users and collects their private details without taking permission from the consumers. The CVE programs provide a platform for controlling and managing the security risks associated with computing networks and devices. There are numerous kinds of vulnerabilities occurred in the IoT devices and networks which involves unauthorized networks, unsecured endpoints, third party applications, inadequate data backups, and so on.
Unsecured endpoints
It is one of the serious and common vulnerabilities that occurred in the organizations and communities. In the business communities, most of the employees use smartphones and connect their networks with the third party applications and servers which are developed by the criminals. Moreover, employees also access their accounts by using unauthentic networks due to which they may suffer from security threats and risks. A recent study argued that unsecured networks have the potential to access and control the details of consumers and it also supports criminals for blocking the communication systems connected with the computing devices (Zhang, et al., 2014).
Around 45% of security attacks occurred because of the unsecured endpoints and utilization of third party applications. It is a very serious issue that the employee does not focus on the security and allow the accessibility of their data to third parties that may impact on the effectiveness of the computing devices and networks. However, unsecured networks and third-party server are capable to perform the cyber-attacks and reduced the privacy of data sets used by the organizations.
SQL injections (SQLi)
It is a kind of injection attack that helps the criminals to execute malware SQL statements and activities in the organizations. Such kind of vulnerability can control and handle database networks used by the companies and most of the criminals use the key functions of SQL injection vulnerabilities to reduce the security of computing networks and devices. With the help of SQL injections, the hackers can easily modify the data stored in the databases and also reduce the overall privacy of the computing devices and systems (Zhang, et al., 2014). It is observed that an SQL injection can affect any computing website or server which involves an SQL database, for example, Oracle, SQL and so on.
Moreover, hackers can utilize such kind of vulnerability for gaining unauthentic access related to the sensitive data of companies and users. From previous research, it has found that SQL injection attack is a common computer vulnerability which is occurred in the organizations or communities. It has the capability to provide sensitive data of consumers and find the credentials of other employees from the stored database. In some of the data networks, the criminals can access the operating systems along with the computer servers used by the companies and employees.
Proposed solutions
It is observed the security of IoT is a very complex process that requires proper connections and interaction between the developed systems and IoT enabled devices. There are main three key aspects that enhance the level of security threats in IoT devices, for example, unsecured endpoints, utilization of unauthentic servers, and misconfiguration of the adopted servers. This section provides a way by which companies and employees may improve the security of their private details while using IoT networks and devices in the workplace (Abomhara, & Køien, 2014). There are numerous steps and techniques which may be used by the companies in order to enhance the privacy of IoT devices and decrease the rate of security attacks. These methods are described below:
Utilization of authentic networks
It is examined that the rate of security threats in IoT is increasing quickly due to unauthorized networks that are produced by the criminals and accessed by the employees in the workplace. It is suggested that companies should use only authentic networks while connecting devices with IoT networks. It is very important for companies to focus on the security of data and provide a platform where employees can understand the importance of authentic servers (Wen, Huang, & Luan, 2016). As a cyber-security consultant, it is very important to provide complete information about the security risks linked with IoT devices. Employees must ensure that they use only secured servers and avoid utilization of third party applications that create a problem for IT infrastructure and system.
Develop security policies
Security policy plays a major character in the reduction of a data breach and cyber-attacks those aware employees to understand the security attacks and risks related to the computing devices and IoT. Companies should develop and implement security plans and policies in the workplace where they can provide proper training to their new employees to protect data from third parties. Moreover, providing proper training and education is an effective approach that can be used by the management for protecting the personal data of consumers (Wen, Huang, & Luan, 2016).
Follow proper configuration process
It is very important for developers to design and implement effective communication systems while using IoT based devices in the IT system. Lack of proper configuration is a key point that impact on the performance of network devices linked with the IT infrastructure. Therefore, it is suggested that management team should adopt an IT team that focuses on the effectiveness of the IoT devices and control the fraud cases from the system (Hossain, Fotouhi, & Hasan, 2015). By following proper configuration process and including IT security system in the organization companies can enhance the security of private details along with the IoT enabled devices.
Utilization of secured software
Security of networks and data can be increased with the help of advanced secured software like antivirus because of their ability to detect the unwanted signals from the system. It is observed that companies can adopt firewall software while developing and implementing IoT devices in the workplace. Moreover, using a firewall and antivirus software the management team can address DDOS, unauthentic signals and other malware attacks from the system (Hossain, Fotouhi, & Hasan, 2015). Therefore, it is suggested that employees should update the software on a regular basis and turn on security programs in the computing systems because hackers send the traffic signals to the consumers that block the communication channels.
Adopt encryption techniques
Encryption is one of the best techniques for addressing the unwanted signals from the system and reduces the rate of security-attacks like DDOS, malware and so on. It is observed that encryption improve the security of communication systems used in the IoT devices where it converts the transferred signals into a form of code which cannot be cracked by the hackers without using access key and receiver. Therefore, it is suggested that while developing and implementing IoT enabled devices in their businesses to use the concept of encryption and decryption technique. Moreover, they can design a system which controls data over a network and also reduce errors and problems that impact on the effectiveness of IoT enabled networks.
Use backup plans
It is argued that hackers are able to obtain the private details of consumers and reduce the security of IoT devices used by the companies. In order to secure the personal data in the companies, management should adopt backup plans along with the cloud computing that can support them for securing their original information from hackers. Moreover, employees should ensure that they allow automatic backup process while using the IoT enabled devices in the workplace (Zhang, et al., 2014).
Use risk assessment plans
It is evaluated that DDOS and other security attacks occurred due to lack of proper privacy systems for which companies can design and implement risk assessment plans in the workplace. The risk assessment plan has the potential to control and handle the unwanted signals from the system and also aware employees from the data breach which can help for increasing the efficiency of developed IT systems (Zhang, et al., 2014). However, the risk assessment plans focus on the three key factors including the availability of data, confidentiality, and accountability.
Conclusion
From the above identification, it is concluded that there are major three factors which increase security risks in IoT such as misconfiguration of networks, authentication of networks, and unsecured endpoints. This investigation examined the security attacks and risks associated with the IoT devices and IT infrastructure. It is evaluated that DDOS and malware both are common security attacks occurred in the IoT devices that directly impact on the privacy of databases used by the companies.
References
Abomhara, M., & Køien, G. M. (2014). Security and privacy in the Internet of Things: Current status and open issues. In 2014 international conference on privacy and security in mobile systems (PRISMS), 12(4), 1-8.
Balte, A., Kashid, A., & Patil, B. (2015). Security issues in the Internet of things (IoT): A survey. International Journal of Advanced Research in Computer Science and Software Engineering, 5(4), 10-16.
Bekara, C. (2014). Security issues and challenges for the IoT-based smart grid. Procedia Computer Science, 34(5), 532-537.
Frustaci, M., Pace, P., Aloi, G., & Fortino, G. (2017). Evaluating critical security issues of the IoT world: Present and future challenges. IEEE Internet of Things Journal, 5(4), 2483-2495.
Hossain, M. M., Fotouhi, M., & Hasan, R. (2015). Towards an analysis of security issues, challenges, and open problems in the internet of things. In 2015 IEEE World Congress on Services, 6(5), 21-28.
Khan, M. A., & Salah, K. (2018). IoT security: Review, blockchain solutions, and open challenges. Future Generation Computer Systems, 82(6), 395-411.
Mahmoud, R., Yousuf, T., Aloul, F., & Zualkernan, I. (2015). Internet of things (IoT) security: Current status, challenges and prospective measures. In 2015 10th International Conference for Internet Technology and Secured Transactions (ICITST), 5(4), 336-341.
Razzaq, M. A., Gill, S. H., Qureshi, M. A., & Ullah, S. (2017). Security issues in the Internet of Things (IoT): A comprehensive study. International Journal of Advanced Computer Science and Applications, 8(6), 383.
Riahi, A., Challal, Y., Natalizio, E., Chtourou, Z., & Bouabdallah, A. (2013). A systemic approach for IoT security. In 2013 IEEE international conference on distributed computing in sensor systems, 8(5), 351-355.
Stojmenovic, I., Wen, S., Huang, X., & Luan, H. (2016). An overview of fog computing and its security issues. Concurrency and Computation: Practice and Experience, 28(10), 2991-3005.
Tankard, C. (2015). The security issues of the Internet of Things. Computer Fraud & Security, 2015(9), 11-14.
Vashi, S., Ram, J., Modi, J., Verma, S., & Prakash, C. (2017). Internet of Things (IoT): A vision, architectural elements, and security issues. In 2017 International Conference on I-SMAC (IoT in Social, Mobile, Analytics and Cloud)(I-SMAC), 8(4), 492-496.
Yang, Y., Wu, L., Yin, G., Li, L., & Zhao, H. (2017). A survey on security and privacy issues in Internet-of-Things. IEEE Internet of Things Journal, 4(5), 1250-1258.
Zhang, Z. K., Cho, M. C. Y., Wang, C. W., Hsu, C. W., Chen, C. K., & Shieh, S. (2014). IoT security: ongoing challenges and research opportunities. In 2014 IEEE 7th international conference on service-oriented computing and applications, 8(5), 230-234.
Zhao, K., & Ge, L. (2013). A survey on the internet of things security. In 2013 Ninth international conference on computational intelligence and security, 12(6), 663-667.
