When the Internet arrived we entered a new era of cyber security. The threat landscape went from one where we could manage it within the walls of the enterprise, to being one where those walls were smashed wide open. Just as we are beginning to create robust solutions to the fuzzy enterprise perimeter, along comes the Internet of Things (aka the IoT) to remove those walls altogether. The IoT is an empowering technology paradigm. It will generate so much data that analysts IDC predict that by 2020, 10% of all data on earth will be generated by the IoT. The IoT is a game changer for business. Gartner have predicted that by 2020 over half of business processes will be reliant on an IoT device. And analysts McKinsey expects the market to be worth over $6.2 trillion by 2025.
There is a lot of hype about the Internet of Things, but it is here already and exploding across the world. But of course there is no such thing as a free lunch and the very nature of the IoT, i.e. distributed connections and the big data it creates, are the very thing that attracts cybercriminals. The IoT is a goldmine for hackers and we need to batten down the hatches.
The Insecurity of Things
Connected, Internet enabled devices have already entered our lives. We can wear them, use them to heat our homes, new cars are starting to employ them and our businesses are starting to use them in areas as diverse as marketing, IP based cameras, automation and process control.
Already IoT focused security problems are surfacing. Just like BYOD, IoT devices are being connected up to networks, often without thought for the possible consequences. For example, if an IOT device can be charged via a USB port, then there is a reasonable likelihood that it could also pass on malware through that USB connection. In another example, Cloud based DVR cameras, considered part of the IoT, can offer a hacker a way into an organization’s network, according to CCTV camera manufacturer CloudView.
The entry of IoT into our extended business networks needs to have security addressed and be brought into your security risk assessment as would any other device, application, or Cloud platform. An IoT device is just another endpoint within a highly distributed network. Internet enabled devices, bring new challenges in security, each requiring an understanding of the way that the devices fit into the overall business application eco-system.
In terms of the level of understanding of the impact of IoT devices, transparency, visibility and access control are three areas that can be used to create a protective layer around a network accommodating IoT devices.
Transparency of the Internet of Things: Transparency of data generated and transmitted by IoT devices is an area that needs to be fully understood. The IoT has added a magnitude of order, above and beyond traditional applications, to the quantities of data being generated and much of this data will be a duplicate. IDC have suggested that, as much as 60% of data generated by Internet enabled devices is a duplicate. This creates a data management issue and ultimately opens up new vectors of attack by cybercriminals. IDC also predict that by 2018 up to 80% of businesses will partner with Cloud platforms to enhance scalability of services. The mix of increased data generation and Cloud platforms, has led analysts, IDC to predict that by 2018 90% of businesses, will experience an IoT related security breach.
Visibility of the Internet of Things: One of the difficult areas of managing security across a network of widely distributed, but connected devices, is in knowing exactly which devices are connected to your network. As mentioned previously, this connection may also be intermittent, as in the charging of devices through a USB port. Having sight of your extended IoT network is key to knowing where protective measures need to be employed.
Controlling Access to the Internet of Things: Access control is already a bugbear within devices that are Internet enabled. A number of devices have been identified that have backdoor accounts baked into them. For example having an easily guessable username, ‘admin’ and password ‘password’ pre-set by the manufacturer so they can easily fix issues and perform updates. PEN testers, Veracode have carried out research into the security issues inherent in many IoT devices. These vulnerabilities include, poor authentication, no encryption of data transmitted and unsecured or poorly implemented Internet connections.
Resolving Security Issues in the IoT
The IoT is not likely to disappear. A market worth so much is a very important part of global economic growth. But it is also important to the cybercrime community too, who will exploit it for all it is worth.
Securing the Internet of Things is a process. It requires insight; knowing how the IoT devices impact your network is the starting point. This knowledge will allow you to plan out your IoT security strategy, layering it against your traditional network risk analysis – it is, after all, just a fuzzy extension of your enterprise network.
Access control is one of the keys to protecting your IoT network. Privileged access control policies can help prevent some of the more fundamental security breaches – granularity to the extent of controlling who can enter the network and access resources, through which device, is a very powerful way of breaking a highly distributed network up into more controllable parts. USP offers a powerful solution to this problem in the form of their Network Access Control.
One of the novel methods that USP uses to secure the IoT layer of a distributed network is through the use of web-based security measures. The IoT can be thought of as a dispersed series of end points, each connected back to other applications through the Cloud via a central application server. Web-focused security threats as identified by OWASP are threats to the IoT as much as they are threats to web servers. RESTful web services are becoming the mainstay of application architectures and have been designed to optimize the use of Internet based apps and ultimately the IoT. This brings with it challenges as REST services have a wide attack surface as they link up so many devices and web apps. Keeping the communications between all of these moving parts secured is something, which requires state of the art web access management capabilities and protection via a dedicated Web Application Firewall (WAF).
With the correct measures in place, the Internet of Things can be part of a secured, but highly distributed network. Optimized application of security will give the IoT a strong backbone from which to build a more innovative future. This new technology paradigm is a great opportunity for market growth and ensuring that it has intelligent security protection applied, will ensure its continued growth and uptake.
Michael Liebi ist Gründer und nun als Board Member bei United Security Providers tätig.