The Internet of Things (IoT) is, both literally and figuratively, a lot of things. At this point in its evolution, it’s something of a paradox. While IoT as an infosec topic pursues cybersecurity professionals wherever they go, its nature is to blend into its surroundings. In fact, in his presentation at the 2016 CyberCrime Symposium, Chris Poulin likened it to the iconic chameleo-creature from the Predator film franchise.
“I think of IoT as a ‘Predator’ problem – you never know where it actually is,” said Poulin. And that creates one of the overarching challenges in managing IoT risk.
Poulin, until recently a research strategist with IBM’s X-Force team and now part of IANS’ faculty of independent practitioners – as well as a self-described futurist, data geek, and “maker and breaker” of things – made good on his promise to stir things up in his fast-paced session. He’s been “into the IoT for almost 30 years,” well before it was tagged as such, always viewing it as “the point where physical and digital security intersect.” Years ago, he couldn’t generate interest when trying to convince others at his consultancy that they should expand beyond their IT network focus to include devices like video cameras. Nobody needs persuading today.
Home, Work, and Everywhere Else
Over the last few years, resistance dropped as cases of IoT gone bad mounted, the result of smart actors taking advantage of poor security designs by device manufacturers, security decisions by buyers, and other issues. There have been breach consequences extending from the home automation market to the enterprise. The virulent Mirai malware, designed to track down IoT devices whose authentication credentials are either hard-wired or still using default settings, did just that, creating the massive botnet that launched, in September 2016, the largest Distributed Denial of Service (DDoS) attack to date, hitting security reporter Brian Krebs’ website among other targets.
In home devices, from baby monitors to refrigerators, smoke detectors, and wine coolers, to wearables and connected cars, to systems controlled by, or tied to, enterprise networks – HVAC, facility security, elevators, and lighting systems – IoT has made the cyber-attack vector landscape much more difficult to view. IoT devices themselves are powerful tools in the wrong hands; then there’s the data they generate.
"The potential consequences of IoT mixing with enterprise systems should concern any security professional," Poulin said. Consider connected building systems, which create opportunity in the form of “shadow IoT.” To highlight the scope of the challenge, Poulin cited Gartner’s 2015 research showing the then-206.2 million connected devices operating in commercial smart buildings. Though 84% of facilities managers surveyed the same year by FacilitiesNet were using Internet-connected building automation systems (BASs), only 29% were taking, or had completed, any measures to improve the cybersecurity of those systems.
To date, Poulin said, connected elevators “scare me the most.” To optimize energy efficiency and passenger convenience, facilities managers want to connect the BASs controlling their elevators to every tenant’s Microsoft Exchange server. “Anybody want to sign up for that today?” he asked attendees. The bottom line: all those servers and any connected IT systems would be accessible through a BAS breach.
Rational Risk Management
The good news, Poulin said, is that “the IoT is actually a big ecosystem, and as an industry we understand a lot of the security controls around things like users, mobile phones, the cloud, our local networks, and the Internet.” The problems start with the devices themselves and the custom networks they use. Here's his primer for infosec professionals getting into IoT defense:
- Inventory IT assets. Focusing on critical assets and sensitive data, security staff should use NetFlow records to passively identify assets, and vulnerability assessment (VA) scans for active identification and contextual analysis. To locate and identify IoT devices, they can use RF scanning tools. Because IoT is so new, security leaders should train or hire to ensure they’ve got people with basic scripting skills to develop some new options or customize existing tools for locating IoT. “Tools aren’t yet mature so, to some extent, if you're going to secure the IoT you need to build part of it yourself,” said Poulin.
- Segment systems based on risk. Segment IoT devices from IT networks wherever possible. Then manage security for systems that need to connect – HVAC, elevators, and whatever else – on a case-by-case basis.
- Monitor IoT devices on the network. IoT devices typically can’t be monitored like IT assets. At this point, infosec teams are essentially limited to addressing IoT through network-level strategies.
- Protect IT and IoT endpoints. In many cases, end-point protection won’t translate to an IoT device. Options for getting around include trying custom signatures on IPSs and IDSs; using NetFlow to check for anomalies; and mapping relationships of IoT devices, like wearables, to individual users and to their IT assets.
- Collect IoT device logs and events. IT managers should work with facilities managers to figure out if they can extend their log management and SIEM solutions to cover IoT.
- Update security policies to include IoT devices.
- Get in the dirt to understand how non-IT devices work. Poulin recommends getting a soldering iron, some resistors, capacitors, and other discrete components, and play – you’ll learn what makes IoT tick. “I believe to be good at IT security you need a coding background because you understand how an IT asset’s built and why,” says Poulin. “The same goes for IoT.”
This is the second in our series presenting key takeaways from Sage Data Security’s 2016 CyberCrime Symposium, held November 3-4, 2016. If you couldn’t get a seat at the event or just want a refresher, check-in weekly for the latest installment featuring actionable insight from select presentations.
Free Download: Ransomware Survival Guide
We’ve all seen the headlines. Ransomware attacks are escalating. It’s essential that your organization has the proper controls in place to defend your organization against an attack. But defense strategies are not enough. With some ransomware strains touting success rates of 40% or higher, it’s even more important that your organization is prepared to confidently respond to, and survive, a ransomware attack. This survival guide will arm you with the knowledge you need to defend against and prepare for an attack.