Embed Size (px)
Citation preview
AUGUST 2014
IS YOUR SECURITY PROGRAM READY FOR THE INTERNET OF THINGS?
EDITOR’S DESK: INTERNET OF THINGS AND SECURITY
WHO’S IN CHARGE HERE? SECURING THE INTERNET OF THINGS
I N F O R M A T I O N
SECURITYInsider Edition
SECURING THE INTERNET OF THINGSThe emerging Internet of Things raises new security concerns and
puts a spin on old ones. In this Insider Edition, InfoSec pros find out how to assess IoT risks and create an effective IoT security policy.
2 INFORMATION SECURITY INSIDER EDITION / SECURING THE INTERNET OF THINGS n AUGUST 2014
HOME
EDITOR’S DESK
SEVEN IOT RISKS YOU MUST CONSIDER
IS YOUR SECURITY PROGRAM READY
FOR THE INTERNET OF THINGS?
WHO’S IN CHARGE HERE? SECURING THE
INTERNET OF THINGS
enterprise IoT risks today, some of which will look famil-iar on first glance: DDoS attacks, patch management chal-lenges and traffic analytics. The nature and number of IoT devices puts a twist on those risks, though.
In the other features, we explore some of the challen-ges associated with securing IoT devices. Experts say the devices may not have the processing power to run security software, while debate also remains over which party is even responsible for securing the Internet of Things.
Numerous enterprises may see IoT as a potential gold rush, but security can’t be ignored. This Insider Edition will help enterprises achieve the benefits associated with the Internet of Things while containing the risk. n
BRANDAN BLEVINS is the news writer for TechTarget Security Media Group
The Benefits of the Internet of Things Can’t Overshadow Security ConcernsWhile connecting billions of new devices to the Internet offers many advantages, organizations must also manage the risks involved. BY BRANDAN BLEVINS
EDITOR’S DESK
BY 2015, CISCO predicts that around 25 bil-lion devices will be connected to the Internet. That number is expected to double by 2020. This web of Internet-connected devices, dubbed the Inter-
net of Things, has been touted by tech giants as a way to efficiently share data and improve lives. Indeed, we’ve already seen compelling products introduced, and the companies creating these items are profiting from API monetization schemes and other efforts.
Still, the danger associated with connecting billions of potentially vulnerable devices—many of which share sensitive data—to the Internet has not been discussed enough. This Insider Edition aims to explore those risks and how organizations can mitigate them. First, ex-pert Ajay Kumar enumerates seven of the most pressing
3 INFORMATION SECURITY INSIDER EDITION / SECURING THE INTERNET OF THINGS n AUGUST 2014
HOME
EDITOR’S DESK
SEVEN IOT RISKS YOU MUST CONSIDER
IS YOUR SECURITY PROGRAM READY
FOR THE INTERNET OF THINGS?
WHO’S IN CHARGE HERE? SECURING THE
INTERNET OF THINGS
COVER STORY: RISKS
By Ajay Kumar
SEVEN IoT RISKS YOU MUST CONSIDER The Internet of Things is growing fast, and so are the risks. Here are seven risks that must be taken into account when planning at IoT policy.
THE DAY WHEN virtually every electronic device—from phones and cars to refrigerators and light switches—will be connected to the Internet is not far away. The number of Internet-connected devices is growing rapidly and is expected to reach 50 billion by 2020.
However innovative and promising it seems, this so-called Internet of Things (IoT) phenomenon significantly increases the number of security risks businesses and con-sumers will inevitably face. Any device connecting to the Internet with an operating system comes with the possi-bility of being compromised, becoming a backdoor for at-tackers into the enterprise.
In this feature, I discuss the proliferation of the In-ternet of Things and explore what enterprises can do to manage the security risks associated with IoT devices.
WHAT IS THE IoT? WHY IS IT GROWING IN POPULARITY?The IoT sensation is rapidly embracing entire societies and holds the potential to empower and advance nearly each and every individual and business. This creates
4 INFORMATION SECURITY INSIDER EDITION / SECURING THE INTERNET OF THINGS n AUGUST 2014
HOME
EDITOR’S DESK
SEVEN IOT RISKS YOU MUST CONSIDER
IS YOUR SECURITY PROGRAM READY
FOR THE INTERNET OF THINGS?
WHO’S IN CHARGE HERE? SECURING THE
INTERNET OF THINGS
COVER STORY: RISKS
often not designed with security as a primary consider-ation, vulnerabilities are present in virtually all of them—just look at the amount of malware that is targeting Android-based devices today. Similar threats will likely proliferate among IoT devices as they catch on.
Enterprises and users alike must be prepared for the numerous issues of IoT. Listed below are seven of the many risks that are inherent in an Internet of Things world, as well as suggestions to help organizations pre-pare for the challenge.
DISRUPTION AND DENIAL-OF-SERVICE ATTACKSEnsuring continuous availability of IoT-based devices is important to avoid potential opera-
tional failures and interruptions to enterprise services. Even the seemingly simple process of adding new end-points into the network—particularly automated devices that work under the principle of machine-to-machine communications like those that help run power stations or build environmental controls—requires businesses to focus attention on physical attacks on the devices in re-mote locations. As a result, the business must strengthen physical security to prevent unauthorized access to de-vices outside of the security perimeter.
Disruptive cyberattacks, such as distributed denial-of-service attacks, could have new detrimental consequences for an enterprise. If thousands of IoT devices try to access
tremendous opportunities for enterprises to develop new services and products that offer increased convenience and satisfaction to their consumers.
On the user side, Google recently announced that it is partnering with major automakers Audi, General Motors and Honda to put Android-connected cars on the roads. Google is currently developing a new Android platform that connects these cars to the Internet. Soon, car own-ers will be able to lock or unlock their vehicles, start the engine or even monitor vehicle performance from a com-puter or smartphone.
The promises of IoT go far beyond those for individual users. Enterprise mobility management is a rapidly evolv-ing example of the impact of IoT devices. Imagine if sud-denly every package delivered to your organization came with a built-in RFID chip that could connect to your net-work and identify itself to a connected logistics system. Or picture a medical environment in which every instru-ment in the exam room is connected to the network to transmit patient data collected via sensors. Even in indus-tries like farming, imagine if every animal were digitally tracked to monitor its location, health and behavior. The IoT possibilities are limitless, and so is the number of de-vices that could manifest.
However, despite the opportunities of IoT, it also comes with many risks. Any device that can connect to Internet has an embedded operating system deployed in its firmware. Because embedded operating systems are
1
5 INFORMATION SECURITY INSIDER EDITION / SECURING THE INTERNET OF THINGS n AUGUST 2014
HOME
EDITOR’S DESK
SEVEN IOT RISKS YOU MUST CONSIDER
IS YOUR SECURITY PROGRAM READY
FOR THE INTERNET OF THINGS?
WHO’S IN CHARGE HERE? SECURING THE
INTERNET OF THINGS
COVER STORY: RISKS
devices must be designed with security in mind, and in-corporate security controls, using a pre-built role-based security model. Because these devices have hardware, platforms and software that enterprises may never have seen before, the types of vulnerabilities may be unlike anything organizations have dealt with previously. It’s critical not to underestimate the elevated risk many IoT devices may pose.
IoT VULNERABILITY MANAGEMENTAnother big challenge for enterprises in an IoT environment is figuring out how to quickly patch IoT device vulnerabilities—and how to
prioritize vulnerability patching.Because most IoT devices require a firmware update
to patch vulnerabilities, the task can be complex to ac-complish on the fly. For example, if a printer requires firmware upgrading, IT departments are unlikely to be able to apply a patch as quickly as they would in a server or desktop system; upgrading custom firmware often re-quires extra time and effort.
Also challenging for enterprises is dealing with the de-fault credentials provided when IoT devices are first used. Often, devices such as wireless access points or printers come with known administrator IDs and passwords. On top of this, devices may provide a built-in Web server to which admins can remotely connect, log in and manage the device. This is a huge vulnerability that can put IoT
a corporate website or data feed that isn’t available, for-merly happy customers will become frustrated, resulting in revenue loss, customer dissatisfaction and potentially poor reception in the market.
Many of the challenges inherent to IoT are similar to those found in a bring your own device environment. Ca-pabilities for managing lost or stolen devices—either re-mote wiping or at least disabling their connectivity—are critical for dealing with compromised IoT devices. Hav-ing this enterprise strategy in place helps mitigate the risks of corporate data ending up in the wrong hands. Other policies that help manage BYOD could also be beneficial.
UNDERSTANDING THE COMPLEXITY OF VULNERABILITIESLast year, an unknown attacker used a known vulnerability in a popular Web-connected baby
monitor to spy on a two-year-old. This eye-opening in-cident goes to show what a high risk the IoT poses to enterprises and consumers alike. In a more dramatic ex-ample, imagine using an IoT device like a simple ther-mostat to manipulate temperature readings at a nuclear power plant. If attackers compromise the device, the con-sequences could be devastating. Understanding where vulnerabilities fall on the complexity meter—and how serious of a threat they pose—is going to become a huge dilemma. To mitigate the risk, any project involving IoT
2
3
6 INFORMATION SECURITY INSIDER EDITION / SECURING THE INTERNET OF THINGS n AUGUST 2014
HOME
EDITOR’S DESK
SEVEN IOT RISKS YOU MUST CONSIDER
IS YOUR SECURITY PROGRAM READY
FOR THE INTERNET OF THINGS?
WHO’S IN CHARGE HERE? SECURING THE
INTERNET OF THINGS
COVER STORY: RISKS
Internet-connected devices, and then implementing ef-fective controls. Given the diversity that exists among these devices, organizations should conduct customized risk assessments to identify the dangers and determine how best to contain them.
An interesting recent example was the case of former Vice President Dick Cheney disabling the remote con-nectivity of a defibrillator implanted in his chest. Unfor-tunately most enterprises don’t have the luxury of taking these devices offline. In any event, organizations that embrace IoT must define their own information security controls to ensure the acceptable and adequate protection of the IoT evolution. As the trend matures, best practices will certainly emerge from industry professionals.
FULFILLING THE NEED FOR SECURITY ANALYTICS CAPABILITIESThe variety of new Wi-Fi-enabled devices con-necting to the Internet creates a flood of data
for enterprises to collect, aggregate, process and analyze. While organizations can identify new business opportuni-ties based on this data, new risks emerge as well.
With all of this data, organizations must be able to identify legitimate and malicious traffic patterns on IoT devices. For example, if an employee tries to download a seemingly legitimate app onto a smartphone that con-tains malware, it is critical to have actionable threat intel-ligence measures in place to identify the threat. The best
devices into attackers’ hands. This requires enterprises to develop a stringent commissioning process. It also re-quires them to create a development environment where the initial configuration settings of the devices can be tested, scanned to identify any kind of vulnerabilities they present and validated, allowing the organization to ad-dress any issues before the device is moved into the pro-duction environment. This further requires a compliance team to certify that the device is ready for production, test the security control on a periodic basis and make sure that any changes to the device are closely monitored and controlled and that any operational vulnerabilities found are addressed promptly.
IDENTIFYING, IMPLEMENTING SECURITY CONTROLSIn the IT world, redundancy is critical; should one product fail, another is there to take over.
The concept of layered security works similarly, but it re-mains to be seen how well enterprises can layer security and redundancy to manage IoT risk. For example, in the healthcare industry, medical devices are available that not only monitor patients’ health statuses, but also dispense medicine based on analysis these devices perform. It’s easy to imagine how tragic consequences could result if these devices became compromised.
The challenges for enterprises lie in identifying where security controls are needed for this emerging breed of
4 5
7 INFORMATION SECURITY INSIDER EDITION / SECURING THE INTERNET OF THINGS n AUGUST 2014
HOME
EDITOR’S DESK
SEVEN IOT RISKS YOU MUST CONSIDER
IS YOUR SECURITY PROGRAM READY
FOR THE INTERNET OF THINGS?
WHO’S IN CHARGE HERE? SECURING THE
INTERNET OF THINGS
COVER STORY: RISKS
observed, largely due to streaming media, peer-to-peer applications and social networking. As more devices connect to the Internet, this number will continue to grow.
However, the increased demand for the Internet will potentially proliferate business continuity risks. If critical applications do not receive their required band-width, consumers will have bad experiences, employee productivity will suffer and enterprise profitability could fall.
To ensure high availability of their services, enter-prises must consider adding bandwidth and boosting traffic management and monitoring. This not only miti-gates business continuity risks, but also prevents potential losses. In addition, from the project-planning stand-point, organizations should carry out capacity planning and watch the growth rate of the network so that the in-creased demand for the required bandwidth can be met.
CONCLUSIONThe Internet of Things has great potential for the con- sumer as well as for enterprises, but not without risk. Information security organizations must begin prepara-tions to transition from securing PCs, servers, mobile devices and traditional IT infrastructure, to managing a much broader set of interconnected items incorporating wearable devices, sensors and technology we can’t even foresee currently. Enterprise security teams should take
analytical tools and algorithms not only detect malicious activity, but also improve customer support efforts and improve the services being offered to the customers.
To prepare for these challenges, enterprises must build the right set of tools and processes required to pro-vide adequate security analytics capabilities.
MODULAR HARDWARE AND SOFTWARE COMPONENTSSecurity should be considered and imple-mented in every aspect of IoT to better control
the parts and modules of Internet-connected devices. Because attackers often exploit vulnerabilities in IoT devices after they have been implemented, organizations should consider a security paradigm like the Forrester Zero Trust model for these devices.
Where possible, enterprises should proactively set the stage by isolating these devices to their own network segment or VLAN. Additionally, technologies such as micro-kernels or hypervisors can be used with embedded systems to isolate the systems in the event of a security breach.
RAPID DEMAND IN BANDWIDTH REQUIREMENTA Palo Alto Networks Inc. study revealed that between November 2011 and May 2012,
network traffic jumped 700% on networks the vendor
6
7
8 INFORMATION SECURITY INSIDER EDITION / SECURING THE INTERNET OF THINGS n AUGUST 2014
HOME
EDITOR’S DESK
SEVEN IOT RISKS YOU MUST CONSIDER
IS YOUR SECURITY PROGRAM READY
FOR THE INTERNET OF THINGS?
WHO’S IN CHARGE HERE? SECURING THE
INTERNET OF THINGS
COVER STORY: RISKS
in what will be an increasingly interconnected digital world. n
AJAY KUMAR is an information security manager who has been working for a decade in the information security and risk management domain, and has expertise in cybersecurity, identity and access management, security operations management, data protection, cloud security and mobile security. Ajay can be reached at [email protected].
the initiative now to research security best practices to secure these emerging devices, and be prepared to update risk matrices and security policies as these devices make their way onto enterprise networks to enable machine- to-machine communication, huge data collection and numerous other uses. This increased complexity within the enterprise shouldn’t be overlooked, and threat model-ing will be necessary to ensure basic security principal of confidentiality, integrity and availability are maintained
9 INFORMATION SECURITY INSIDER EDITION / SECURING THE INTERNET OF THINGS n AUGUST 2014
HOME
EDITOR’S DESK
SEVEN IOT RISKS YOU MUST CONSIDER
IS YOUR SECURITY PROGRAM READY
FOR THE INTERNET OF THINGS?
WHO’S IN CHARGE HERE? SECURING THE
INTERNET OF THINGS
THE INTERNET OF THINGS is more than just cars, clocks and coffeemakers. It’s about an entirely new frontier of net-worked devices that affect enterprise security both di-rectly and indirectly. One of the recent discussion points has been around whether or not the average corporate network can even handle the Internet of Things’ band-width requirements. It’s certainly something to be think-ing about, but it seems moot when you consider the potential for the inevitable security headaches.
Enterprises have enough trouble keeping up with the security of their traditional network systems. Many peo-ple struggle with knowing where their systems, and es-pecially their sensitive data, are located. Others have no clear picture of their current security posture or what’s taking place on the network at any given moment. No doubt, the largest group consists of IT and security staff who struggle to get—and keep—management and their general user base on board with security. With the In-ternet of Things, these issues become even more of a challenge. I suspect we’re going to experience a side of se-curity we never anticipated.
By Kevin Beaver
IS YOUR SECURITY PROGRAM READY FOR THE INTERNET OF THINGS?It’s time to start prepping a security policy for the coming IoT era, to avoid the free for all we saw with the bring-your-own movement.
READY?
10 INFORMATION SECURITY INSIDER EDITION / SECURING THE INTERNET OF THINGS n AUGUST 2014
HOME
EDITOR’S DESK
SEVEN IOT RISKS YOU MUST CONSIDER
IS YOUR SECURITY PROGRAM READY
FOR THE INTERNET OF THINGS?
WHO’S IN CHARGE HERE? SECURING THE
INTERNET OF THINGS
READY?
policies where necessary.
n Will new security policies be required? You might find that new (or updated) policies around network segmen-tation and access control are needed to ensure these de-vices are kept in their place—similar to how you might handle wireless access points and guest Internet connec-tions. Be sure to consider the Internet of Things impli-cations for business partners, suppliers and customers that network connections into your environment as well. What additional risks will each of your employees’ Inter-net of Things devices at home introduce to your network via VPN connections?
n Who’s going to ensure that your policies are both enforceable and actually enforced to minimize your Internet-of-Things risks? Management and users may buy into policies around core business applications, but how are they going to perceive your desire to secure seem-ingly harmless devices with minimal business purpose? You need to be able to quantify the risk by performing a risk analysis and determining the likelihood and impact when threats exploit Internet of Things vulnerabilities. A good BYOD security program now cannot only serve as a good indication of things to come but also the ground-work for your Internet of Things policy enforcement.
n Who’s going to be monitoring the Internet of Things?
Since the beginning of my career in information secu-rity, I’ve worked by the mantra that if a system has an IP address or a URL and it touches the business network or processes sensitive information in any way, then it’s fair game for attack. It should also be fair game to fall within the scope of existing security management programs. Similar to mobile devices, instant messaging, social me-dia usage and the like, we’re not going to stop the Inter-net of Things from growing. It has to be front and center in your security discussions.
PLAYING BY THE RULES One of the core principles of minimizing information risks is to lay out a set of rules to play by in the form of well-written security policies. If proper expectations are not set, then it’s a free for all, not unlike what we see with BYOD. The good news is that securing—or protecting against—the Internet of Things is not going to be much different from securing any other aspect of the network. It’s about perspective and priorities. Here are some secu-rity policy-centric items you must consider with Internet of Things in the enterprise:
n What role will your existing security policies play? You won’t have to start from scratch. Your existing poli-cies around passwords, patching, system monitoring will likely suffice. The important thing is to ensure that the Internet of Things falls within the scope of each of these
11 INFORMATION SECURITY INSIDER EDITION / SECURING THE INTERNET OF THINGS n AUGUST 2014
HOME
EDITOR’S DESK
SEVEN IOT RISKS YOU MUST CONSIDER
IS YOUR SECURITY PROGRAM READY
FOR THE INTERNET OF THINGS?
WHO’S IN CHARGE HERE? SECURING THE
INTERNET OF THINGS
READY?
and small. You’re going to have to up your security game by doing more of it—better, faster, and cheaper than ever before. Now’s the time to be thinking about keep-ing the Internet of Things in check on your network and any other networks that are associated with your busi-ness. Get the right people on board and at least start with a policy update that outlines what you’re doing and not doing—allowing and not allowing—with all of these con-nected devices. Policies aren’t the magic solution to se-curity. In fact, they often do more harm than good by creating a false sense of security and “compliance.” But do it anyway—any positive action toward a better, more secure Internet of Things will provide many long-term payoffs for the business as a whole. n
KEVIN BEAVER is an information security consultant, writer, professional, speaker, and expert witness with Atlanta-based Principle Logic, LLC. With over 25 years of experience in the industry, Kevin specializes in performing independent security vulnerability assessments of network systems as well as Web and mobile applications. He has authored/co-authored 11 books on information security including the best-selling Hacking For Dummies. You can reach Kevin through his website www.principlelogic.com and follow him on Twitter at @kevinbeaver.
You could ultimately be looking at double the number of hosts (or more) on your network at some point in the near future. Will you need additional staff to ensure ev-erything is kept in check? Will your managed security ser-vices provider be able to accommodate these systems?
I don’t typically buy into the marketing hype associ-ated with emerging areas of IT, such as the cloud and big data, but there is something to be said about the Internet of Things. The term is a bit jargon-ish but the business consequences are real. Cisco estimates that the Inter-net of Things will grow to 50 billion devices by 2020. That represents a significant number of systems that will somehow need your attention. These devices could open up backdoors into your network. They can facilitate malware propagation. They can end up storing sensitive business information. They can lead to denial-of-service conditions. Is your business prepared? Are you going to be able to justify taking time away from the things you’re currently doing to tend to this new realm of systems in-vading your network?
Complexity is one of the largest barriers to effective security, and the Internet of Things is no doubt going to increase that exponentially for organizations both large
12 INFORMATION SECURITY INSIDER EDITION / SECURING THE INTERNET OF THINGS n AUGUST 2014
HOME
EDITOR’S DESK
SEVEN IOT RISKS YOU MUST CONSIDER
IS YOUR SECURITY PROGRAM READY
FOR THE INTERNET OF THINGS?
WHO’S IN CHARGE HERE? SECURING THE
INTERNET OF THINGS
ADVOCATES SAY THE Internet of Things is a multi-trillion dollar business opportunity, but it’s also a potential di-saster for privacy and safety. Before we connect every-thing around us to the Internet, we need to think about security.
Internet of Things security is difficult to discuss be-cause the concept is so immense. When you make “every-thing” IP-connected, how do you lock all of that down? Cars, cows, oil rigs, medical devices, refrigerators. There is no perimeter that can encircle all of that.
“The challenge we have is that each of those areas is really pretty separate,” said Bret Hartman. “The technolo-gies working in those areas tend to focus specifically on their own area. It’s not going to be one-size-fits-all for [Internet of Things] security.”
Companies and individuals will also find that they lose a lot of control over where their data is and where it is go-ing. When consumerization struck the enterprise, power and control over data and connectivity shifted from IT to the user. IT is still adapting to that shock. Now another shift is coming.
By Shamus McGillicuddy
WHO’S IN CHARGE HERE? SECURING THE INTERNET OF THINGSIt’s a big task, securing the Internet of Things, and a key step is to figure out who exactly is responsible.
RESPONSIBILITY
13 INFORMATION SECURITY INSIDER EDITION / SECURING THE INTERNET OF THINGS n AUGUST 2014
HOME
EDITOR’S DESK
SEVEN IOT RISKS YOU MUST CONSIDER
IS YOUR SECURITY PROGRAM READY
FOR THE INTERNET OF THINGS?
WHO’S IN CHARGE HERE? SECURING THE
INTERNET OF THINGS
a cow’s health might go to another “thing” on a farm that crunches that data and spits out new data. Then that data goes elsewhere, all across IP networks.
“These are typically paths that are poorly protected. The bigger problem is not so much the endpoints, but the fact that the data paths themselves create a new attack platform.”
“What if your microwave was taken over and it kept telling your fridge to shut down?” said Chakravarty of ThreatTrack. “You wouldn’t know there was something wrong with your microwave. The user is slowly stepping out of the equation. We may be carrying a phone, but it’s not just a phone. It’s a transmitter and receiver that can propagate information exactly like a router would on a network.”
INTERNET OF THINGS SECURITY: HOW DO YOU DO IT?Some engineers say network monitoring is the way to solve the problem.
“It’s much more about using the network fabric to watch traffic across all these devices and limit [that traf-fic] where there appears to be some abuse or potential at-tack happening,” Cisco’s Hartman said. “In an industrial control system, you might change [a robot’s] settings with a management console, but you wouldn’t expect two ro-botic arms to reprogram each other. So you can look at that kind of traffic and say this shouldn’t be happening.
“Power is shifting from the user to machines,” said Dipto Chakravarty, executive vice president of engineer-ing and products at ThreatTrack Security Inc. “And when it shifts to machines, connectivity is the inverse to secu-rity. The more connectivity you have, the less security you have—unless you can layer it in properly.”
INTERNET OF THINGS SECURITY: IT’S NOT EASYLocking down the so-called “things” on the Internet of Things is a daunting task because security takes comput-ing power, and many things have only the bare minimum, if that.
“Usually these endpoint devices aren’t very big. They don’t have a lot of compute power to do much, especially around security,” Hartman said. “There are IP-address-able light bulbs. There’s not a whole lot of processing power left in there for security.”
Furthermore, wherever you have an IP-connected thing, you also have an operating system. Operating sys-tems need to be patched. When they aren’t, hackers find vulnerabilities. Botnets will find millions of new recruits in the form of zombie appliances and other “things.”
These things are all communicating with each other, too. And they influence each other.
“How much is going to go wrong if someone hacks a cow’s monitoring system?” asked Eric Hanselman, chief analyst for New York-based 451 Research. “It’s all just passive data collection. It’s not a big deal.” But data about
RESPONSIBILITY
14 INFORMATION SECURITY INSIDER EDITION / SECURING THE INTERNET OF THINGS n AUGUST 2014
HOME
EDITOR’S DESK
SEVEN IOT RISKS YOU MUST CONSIDER
IS YOUR SECURITY PROGRAM READY
FOR THE INTERNET OF THINGS?
WHO’S IN CHARGE HERE? SECURING THE
INTERNET OF THINGS
RESPONSIBILITY
to extract data. Those legacy systems will pose a higher risk than something engineered from the ground up to be an IP endpoint.
“You need to add intelligence to be able to deal with the level of risk [presented] by these older types of data sources,” 451 Research’s Hanselman said.
INTERNET OF THINGS SECURITY: WHO OWNS THE PROBLEM?Clearly, there is a lot of work to be done in securing the Internet of Things. Before you even tackle the problem, you need to figure out who is responsible for it. Billions of new devices will start collecting and sharing data, and a wide assortment of companies will be enabling that. Who owns the problem?
SHAMUS MCGILLICUDDY is the director of news and features for TechTarget Networking Media. He writes about networking, security, data centers, network management and other topics for SearchNetworking and manages overall news coverage for TechTarget’s other networking sites, including SearchUnifiedCommunications, SearchEnterpriseWAN and SearchCloudProvider. He holds a master’s degree in journalism from Boston University.
You can control and limit the traffic that goes among these [robots].”
Internet of Things security will also require encryp-tion key management infrastructure and identity man-agement systems that can scale into the billions, said Earl Perkins, research vice president for Stamford, Connecti-cut-based Gartner Inc.
“We’ll have to figure out a way to protect data in an environment like this, whether it’s on [an] Internet of Things ‘thing’ or in an intermediate location,” he said. “We’ll have to revamp the way we look at encryption key management and identity management. We’ll have to combine capabilities from identity management and as-set management, because [people] are going to become [their own] personal cloud networks. The Internet of Things that you carry on your person and that you have at home are like a cloud of devices that surround you. You have an identity and the things have identity, but how do you keep [up] with the relationships between you and the identity of those things?”
The Internet of Things will also require a sophisti-cated approach to risk management. Not all of the devices on the Internet of Things will be new. Organizations are strapping IP connections onto legacy devices and systems
15 INFORMATION SECURITY INSIDER EDITION / SECURING THE INTERNET OF THINGS n AUGUST 2014
HOME
EDITOR’S DESK
SEVEN IOT RISKS YOU MUST CONSIDER
IS YOUR SECURITY PROGRAM READY
FOR THE INTERNET OF THINGS?
WHO’S IN CHARGE HERE? SECURING THE
INTERNET OF THINGS
TechTarget Security Media Group
TechTarget 275 Grove Street, Newton, MA 02466www.techtarget.com
EDITORIAL DIRECTOR Robert Richardson
EXECUTIVE EDITOR Eric Parizo
FEATURES EDITOR Kathleen Richards
EXECUTIVE MANAGING EDITOR Kara Gattine
NEWS WRITER Brandan Blevins
ASSOCIATE MANAGING EDITOR Brenda L. Horrigan
DIRECTOR OF ONLINE DESIGN Linda Koury
COLUMNISTS Kevin Beaver, Ajay Kumar, Shamus McGillicuddy
CONTRIBUTING EDITORS Kevin Beaver, Crystal Bedell, Mike Chap-ple, Michele Chubirka, Michael Cobb, Scott Crawford, Peter Giannoulis, Francoise Gilbert, Joseph Granneman, Ernest N. Hayden, David Jacobs, Nick Lewis, Kevin McDonald, Sandra Kay Miller, Ed Moyle, Lisa Phifer, Ben Rothke, Mike Rothman, Karen Scarfone, Dave Shackleford, Joel Snyder, Steven Weil, Ravila Helen White, Lenny Zeltser
EDITORIAL BOARD
Phil Agcaoili, Cox CommunicationsSeth Bromberger, Energy Sector ConsortiumMike Chapple, Notre DameBrian Engle, Health and Human Services Commission, TexasMike Hamilton, MK Hamilton and Associates Chris Ipsen, State of NevadaNick Lewis, Saint Louis UniversityRich Mogull, SecurosisTony Spinelli, EquifaxMatthew Todd, Financial Engines
MacDonnell Ulsch, ZeroPoint Risk Research
SENIOR VICE PRESIDENT/GROUP PUBLISHER Doug [email protected].
© 2014 TechTarget Inc. No part of this publication may be transmitted or reproduced in any form or byany means without written permission from the publisher. TechTarget reprints are available through The YGS Group.
About TechTarget: TechTarget publishes media for information technology professionals. More than 100 focused websites enable quick access to a deep store of news, advice and analysis about the technologies, products and processes crucial to your job. Our live and virtual events give you direct access to independent expert commentary and advice. At IT Knowledge Exchange, our social community, you can get advice and share solutions with peers and experts.
COVER IMAGE AND PAGE 3: DRAFTER123/ISTOCK
