The post-apocalyptic, post-technology hackers took over the world and burned it down because someone took over the IoT. This isn’t going to happen. I know; we’re all disappointed. I wanted a Mad Max Ford Falcon Interceptor, too.
It’s fun to speculate, and security is important as M2M technology develops, but, as Syed Zaeem Hosain, CTO of M2M-specific cellular network host Aeris Communications, told me in a recent conversation, “We’re all overreacting or avoiding the issue” when it comes to how to make the enterprise IoT more secure.
“We have a tendency to let specific incidents inform our broad opinions in ways that aren’t always warranted,” he said. So, we overreact by making old ladies take their shoes off at the airport for a decade, as an example. Ultimately, nothing is perfectly secure, and the best that we can do is be prepared for what we can expect and improve over time.
“We need to stop worrying about the ultimate protections and start by assessing the potential results of a breach,” he said. “You’ll never find a perfect or ideal solution, and you’ll waste resources trying to make one. Instead, protect what you can and assess what the outcome of a breach would be and how you will react.”
Deciding on a security strategy for the IoT comes down to a cost versus benefit analysis. Figure out how much security you really need to protect your mission-critical assets, whether those are confidential data points about users or consumers, or control code for a power plant. Protect what you can protect, and then make sure your plan includes contingencies for how your system will react in the event of a breach.
“The biggest real issue is control, not data,” Hosain said. “The only way to be completely secure is not to be connected. Failing that, set checks and balances to make sure the right people are accessing your controls and data sets.”
M2M technology can even help with this, by setting breach sensors into security code that alert key personnel in the event of unauthorized access and even take protective action automatically before a human could even have reacted. The process of building the IoT is still developing, although more rapidly than ever before. The development of M2M security measures is even more immature, but there is little reason to freak out.
“Most people who are thinking about this are just beginning to get educated about how and what measures to implement,” he said. “We have an interesting opportunity to prevent problems before they become huge problems. We need to think about security before we get to the billions of devices that have been predicted.”
At that scale, if security hasn’t been thought about and built in, it will become untenable to even make headway. In fact, it’s possible that if a common standard of security isn’t developed, the M2M marketplace won’t develop to those levels at all.
“Security and scaling are the two major barriers to M2M adoption right now,” he said. “This is going to be very important.”
We need to be prepared to avoid ending up Beyond the Thunderdome. You know the law: Two men enter, one man leaves. But we can easily avoid that future by getting to work on simple security plans and standard practices. Roll out.
Verizon Report Investigates IoT Vulnerabilities
BY KEN BRIODAGH
Verizon released its “2015 Data Breach Investigations Report” on April 15, and it says that of the five billion IoT devices predicted by the end of the decade, most will be unitaskers and therefore very difficult to encrypt. The question it asks is whether they even need to be.
There has not been any substantive breach within the IoT, the report said, so all of its predictions had to be made via conjecture using the best available information. Some of those predictions are pretty wide-ranging, but they’re also quite conservative.
The report predicts increased privacy-related research and exploits from wearables and medical devices – also that M2M device breaches might become the source of breaches into the larger network and lead to the development of tools like Shodan, designed to take advantage of weaknesses in the IoT.
To avoid vulnerability, the report advocates taking sensible precautions like with any other web-based technology. Perform threat modeling and attack exercises to determine potential attackers and their goals, and then figure out where your sensitive data lives and make sure it’s in a secured area.
Data privacy will be of special concern in the IoT, the report says, because it will be essential to provide privacy protection for everyone in the IoT ecosystem, which can be divided into three levels. Level 3 devices are sensor systems capable of relaying measurements to Level 2 devices, which collect data and transmit organized packages on up the chain. Level 1 devices are fully equipped internetworked devices capable of computation and sophisticated communication and application delivery.
Only data that is absolutely necessary should be gathered, if maintaining privacy is of concern. Furthermore, consent and access control rules should be built in and data should not be transferred to third parties for other purposes without explicit approval. Ideally, all data should be transferred and retained in an encrypted and anonymous format. Finally, safeguards against theft should include keeping Level 3 devices to sensing and relaying capability and Level 2 and Level 1 devices, including the intercommunication channels, should be highly secure systems.
One worrisome area cited in the report is the fact that many of the existing vulnerabilities still are not being addressed, and they’ve been open for years. It said that in 60 percent of breaches, attackers are able to compromise an organization within minutes, but many cyber attacks could be prevented through a more vigilant approach to security.
In short, there’s vulnerability, but no one’s taking advantage yet. Perhaps someone should fix the holes before the flood gets here.
Security Leaders Say Beware the Internet Of Evil Things
BY KEN BRIODAGH
A new report released on April 15 by Pwnie Express, a remote security monitoring vendor, warns about the risks inherent in the so-called “Internet of Evil Things” and defines the key factors and threats facing businesses today. It also offers a framework for a comprehensive defense against the IoET.
“This report underscores the need for increased visibility and actionable intelligence on all devices across the enterprise to enhance an organization’s ability to quickly identify and thwart an attack,” said Paul Paget, CEO, Pwnie Express. “It’s our hope that by offering a classification structure for high-risk devices, infosec professionals are empowered to mobilize and begin assessing their security systems’ readiness to defend business-critical infrastructure against the IoET threat.”
Pwnie surveyed more than 600 security professionals for the report and some of the top findings were pretty interesting. More than 80 percent of the respondents said they were concerned they already have rogue or unauthorized devices operating undetected in their networks. They are perhaps concerned because almost 70 percent of them said they don’t have full visibility of all the wireless devices inside their networks. Scary. The last important thing is that the security folks said the most dangerous devices running today are rogue access points, MiFi, and mobile hotspots.
“Cyber attackers seek the path of least resistance, often targeting devices and systems of branch locations, which are perceived to be less secure,” said Mark Arnold, director information security, PTC. “It’s critical that enterprises implement innovative tools and policies across the entire organization to automatically detect the presence of unauthorized or mismanaged devices in real time, empowering security teams to respond quickly and effectively.”
Although it’s fun to refer to the IoT’s Evil Twin, the IoET isn’t a real thing yet. There have as of yet been no major breaches, remember. We’re at the beginning of an IoT-enabled world where these threats will become more likely, however. There is an emerging threat vector that will only grow as adoption of connected devices continues to expand.
The answer is simple: Don’t freak out, and don’t be unprepared.
Wearable Security is a Matter of Establishing Standards
BY KEN BRIODAGH
Wearable devices are here. They’re not universal, or even prevalent, yet, but the numbers of folks with a Fitbit, Samsung Gear, or Apple Watch are only going to grow. That’s not to mention the still-in-development tech like implanted health monitors and sense enhancement mods, but we’re not all that far from those, either.
With all of this tech coming into so many lives, and collecting so much information about consumers and workers, there is a broad potential for security risk. Malicious software can steal personal information and activity patterns from consumers, and if someone uses personal devices for work, enterprise-level intelligence can be at risk, too.
Jim Haviland, CSO of enterprise mobility specialist Vox Mobile, said that we’re seeing a parallel to problems we’ve seen before with emerging technology. “The biggest issue at the moment is the lack of standardization,” he said. “There are so many different ways in, and there aren’t a lot of enterprise-level standard platforms [for wearable development] yet.”
He’s not wrong. Although heavy hitters like Microsoft are promoting platforms for IoT development, most wearables are coded on derivatives of a mobile OS like Android or use some proprietary platform that hasn’t been well vetted, mostly because it isn’t widely used. This makes the devices vulnerable to a variety of exploits and until the industry or governments set standards for encryption and other security measures, the huge pile of data will remain in danger.
“With mobility, we still see most startups looking at how to solve a specific thing because they’re thinking in a behind walls model,” said Haviland. “That doesn’t work in the IoT.”
What will work is an incremental improvement model. Every generation of devices will be better than the one before, hopefully keeping ahead of the hackers, but more likely learning how to fix the holes from the attempted and successful attacks.
“Everyone wants to be the Steve Jobs for this one, but I don’t think that job’s open,” he said. “I think over time, there will be a number of standard platforms [like with mobile OS now].”
The first step, he said, and the most dangerous missing security feature today, is encryption. It’s important for the industry to keep developing and advocating for a common method for getting to encryption. And although data is important, the weak spot is at the control capabilities.
“As soon as we have the ability to learn insights at the point of action, that’s when M2M becomes really valuable,” he said. “We have to figure out how to protect that command and control ability to maintain that value.”
The nightmare scenario is that an IoT virus could enter a system through a worker’s unsecured wearable device, and take control of vital functions. As an example, such controls could grant a malicious user control over a power grid, medical facility, or airport.
Now, that’s unlikely, but not impossible, and Haviland said the stakes are real.
“We’ve got to learn about this stuff. We’re still in the ‘we don’t know what we don’t know phase’,” he said. The important thing for now is to keep developing and to keep talking about the concerns and the solutions.
Edited by Ken Briodagh