Cybersecurity professionals are already overtaxed trying to secure all the devices that make their networks hum, not to mention the multiplying user devices seeking access. Now they’re facing the exploding Internet of Things (IoT), which makes BYOD, the cloud, and similar security concerns seem pale by comparison. The title of Uri Rivner’s and Sam Curry’s 2015 CyberCrime Symposium presentation — IoT: When Things Crawl into Your Corporate Network” — aptly summed up the challenge.
While all the data that IoT generates holds seemingly endless possibilities — from helping businesses improve analytics, to strengthening customer relationships, driving revenues, and enriching lives — it likewise offers innumerable possibilities for cyber-threat actors. Consider the increasing number of interconnected devices that organizations need to deploy to operate effectively and how that complicates the jobs of security professionals. Then consider the rapidly growing number of interconnected devices outside the organization and the powerful implications that has for the security professionals responsible for protecting against cyber-attacks.
What are cybersecurity pros facing with securing IoT? “IoTs are physical objects with computing power, network connectivity, and sensors that make them aware of their surroundings,” said Rivner, head of cyber strategy at BioCatch. These sensors, he said, are among of the most interesting components of IoT devices. “They detect motion, position, humidity, temperature — you name it. These attributes feed into IoT devices and make them increasingly aware. At some point they will become more self-aware and autonomous and start to make some decisions.”
According to Cisco, which has launched a publicly available IoE Connection Counter — much like the one in Times Square that calculates the national debt in real-time — 100 objects connected to the Internet every second in 2014. Cisco estimates that by 2020, 250 objects — appliances, cars, medical devices, video cameras, wearables, facilities automation systems, and innumerable other “things” — will connect per second. At this point, there will be 50 billion devices connected, with no signs of slowing. That’s a lot for a cybersecurity pro to absorb.
Forget FUD and Step Up
Curry, chief technology and security officer at Arbor Networks, acknowledged as much when he told symposium attendees that it’s common to view IoT with fear, uncertainty, and doubt. “People say, ‘all this stuff could be hacked in horrible ways’. And it can,” said Curry.
However, he told them that rather than focus on what could go wrong, he and Rivner wanted to outline “ways to make IoT go right” on the security front by anticipating and planning for failure. With this mindset, organizations can start developing their IoT strategies. In addition to defining counter measures, establishing prevention and detection processes, partnering with the the right providers, and making intelligent purchase decisions, tactical and strategic initiatives should include:
- Improving the ability to discover problems and address them. Organizations should monitor systems for anomalies, so they can proactively address possible threats. Security officers and their technology vendors need processes and service-level agreements (SLAs) for patching vulnerabilities. Patching strategies include virtual patching for short-term fixes.
- Adopting a “mosaic of trust.” Roots of trust and chains of trust can fail, said Curry. For certificates, keys, and encryption, he advised having multiple roots of trust, not just one trusted root authority.
- Using evidence capture and log data. Capturing and analyzing log data helps security professionals identify possible threats early to determine root causes. This and other evidence is instrumental for conducting forensics.
- Deploying/building systems “designed for security.” Designing connected systems for security will be critical to managing IoT as objects multiply and spread. For those not developed with security and safety in mind, IT teams may be able to build it in after the fact. IoT objects designed for security include, for example, those that incorporate sensors that trigger specific actions to prevent disasters or send alerts when there’s a potential threat. Among other capabilities, objects should always be designed so they can be patched.
- Containing breaches by practicing network segmentation and ensuring interconnected systems separate critical and non-critical systems. These best practices help prevent failures caused by cyber-attacks from cascading into other areas — from one departmental system into a more critical application, for instance, or from a compromised component in an industrial control system into a number of systems.
- Collaborating with third parties — other organizations, product manufacturers, security specialists — to share threat intelligence.
- Re-thinking authorization models. Authorization is much more complex in IoT than in the world of web access control and management, where policies are established in advance. “We have to think about the interactions of billions of objects with billions of other objects, so we need a rapid way to handle authorization,” said Curry. “We need to be able to write enforcement code on the fly.”
At this point, said Rivner, a number of groups are working to develop IoT protocols and standards, but currently “there’s no standardization” on the IoT front.
Like other game-changing technological movements that came before it, IoT will continually expand as developers rush to innovate to meet demand both on the business and consumer side. Technology sales objectives and cool features, particularly in emerging markets, often take precedence over the less-sexy functions — like patching capabilities — that should be part of the package.
In the IoT revolution, said Rivner, “IoT devices are built for agility, wide adoption, and wide applicability.” They’re designed to meet consumer demand and not necessarily to be good neighbors in the IoT fabric through integrated security features. However, as with every technology revolution, IoT standards, including those for cybersecurity, will continue to emerge and improve. Ultimately, the demand dynamic will shift from an acquisition mentality to one that treats IoT objects, just like any other connected device, within the context of a comprehensive cybersecurity strategy.
This is the 6th in our series presenting key takeaways from Sage Data Security’s 2015 CyberCrime Symposium, held November 5-6, 2015. In case you missed the filled-to-capacity event, “Collaboration & Information-Sharing,” read the entire series here.