What are the stakes for securing the IoT? Proprietary corporate data, perhaps? Or consumer privacy? What about terrorism and counter-intelligence? That’s what concerns Arlette Hart, CISO, FBI. For her and the Bureau, the IoT represents a strong positive force in society, but with a pretty heavy downside if security is ignored.
In her keynote at IoT Security 2015 in Boston on September 22, Hart said that IoT technology is convenient, useful and much more secure than it used to be, but if no one considers the price of the connectivity, the cost will be large indeed.
She compared the risk environment of the IoT to any community. It’s a diverse environment with some people learning the ropes and others leading the way into the uncharted waters of change. It’s managed by people who are usually older (read: CEOs and politicians), and not by the people who handle and understand security.
The problem with that fact is that the people in charge are often attached to legacy ways of doing things, she said, and thanks to the IoT, things are different now.
“Physical security used to be protection against the [software],” Hart said. “Now, physical interferes with the protection of systems. What isn’t new is that technology doesn’t care who is using it.”
What that means is that you can’t rely exclusively on old-school security. Encryption keeps you safe to some extent, but it’s also used by bad actors to protect their bad things, she said.
Image via Shutterstock Hart said breaches and data loss frequently comes as a result of insiders, whether they’re malicious or just not knowledgeable or conscientious enough. She ran through several key data losses in the last few years in national security, all of whom were insiders, including: Robert Hanssen who sent intelligence to the Russians and taught the U.S. to focus on insiders for information security controls; Bradley Manning, whose theft of data via thumb drive lead to the Department of Defense banning all thumb drive data transfer; and Edward Snowden, who took his huge volume of data on external hard drives which were insufficiently locked down. There was very little direct effect to citizens’ everyday lives from these breaches, however.
She called 2014 the year of the corporate breach with Target, eBay, Sony, Anthem, Facebook and several others losing private, proprietary info. The end result for consumer here: new cards and credit monitoring for most. Not a huge impact day-to-day.
“With IoT, when compromises happen, people will feel it,” she said. That’s the difference. “My device was monitored. My media was watched. They will take notice.”
There are several questions to ask when thinking about protections, she said.
As a consumer, ask if you bought this capability or product. If you didn’t, you are the product, and you’re selling your privacy. As an IoT service provider, ask if you are ensuring secure baselines. Also, How transparent are you being to consumers and do you know the risks inherent in holding what you know about them?
Finally, everyone involved needs to determine who owns these IoT data assets. The way to do that is to find out who can improve security by imposing location and time limits on access and controls on access permissions. A final weak link in any chain is the end of the chain, she said. Know who your contractors are, and who their contractors and suppliers are. “Know your information supply chain,” she said.
The FBI recommends:
If you buy a thing, make sure you’re using it and shutting down unused features so they can’t be used as backdoor access points.
Be a hard target. Use zero-trust models and limit access to critical assets. Remember that compromises come from exceptions.
Be ready to recover, assess and remediate after a breach.
Trust but Verify: people, assets and data.
Edited by
Dominick Sorrentino
