My organization is worried about the Internet of Things (IoT) particularly because of the lack of federated control...
around all of these connected devices and systems. Are there ways to control IoT device discovery and prevent the many issues associated with non-upgraded IoT devices?
Cisco predicts that around 50 billion devices will be connected to the Internet by 2020. There may be many benefits of having virtually every device -- from cars to household appliances, and even clothes -- connected to the Internet, but it represents a huge security risk to businesses and consumers, and it's already causing problems. Hackers are beginning to use inadequately secured gaming consoles, routers and modems to launch distributed denial-of-service (DDoS) attacks. Most are Universal Plug and Play (UPnP)-enabled, the underlying protocols of which can be abused. Akamai Technologies found 4.1 million Internet-facing UPnP devices were potentially vulnerable to being employed in DDoS attacks or abused in other ways. For example, the Moose malware tries to take over home routers by trying thousands of weak passwords; once it has taken over a device, it steals login details when people visit Twitter, Facebook and other social networking sites. Incorrectly configured home data storage devices (network-attached storage) are also providing hackers with an easy-to-access source of saleable data. As more and more everyday objects are connected to the Internet, the situation will only get worse. Are consumers really going to install the latest security patch for their fridge or think to erase data on their TV before reselling it on eBay?
Although sensors and computerized automation have been around for a long time, these systems have largely been disconnected from operational systems and the Internet. The transition we're seeing to more open network architectures, and particularly IoT, requires enterprises to re-evaluate their security policies and procedures to ensure these devices aren't open to abuse or sensitive data leaks. IoT devices should be risk assessed prior to being added to the network -- IOActive found the traffic control system used in Washington, D.C. transmits everything in plaintext and could easily be manipulated to allow an attacker to take complete control of the system.
Any approved device capable of connecting to the Internet has to be added to the enterprise's information asset register and included in the patch management process, as well as included in any penetration tests, as they are a possible attack vector. Configuration settings should always be hardened; IoT devices typically use default accounts and passwords, making them easy to compromise. Physical security also needs to be put in place. Business continuity plans will need updating, and bandwidth requirements will certainly need to be checked to ensure critical applications and processes can still access their required bandwidth, otherwise IoT devices could cause a self-induced denial of service.
The data paths between IoT devices need to be secure. If the data is sensitive, it will need to be encrypted, which means key management and identity management infrastructures are needed to control the relationships between devices; with 50 billion IoT-connected devices, it'll be impossible to securely authenticate each device relying on just a password. Where possible, enterprises should isolate these devices to their own network segment or VLAN. This will not only help to control IoT device discovery and contain any breaches, but will also make traffic management and monitoring easier. Monitoring the network traffic generated by IoT devices is going to be the best way to spot and stop malicious activity and attack traffic.
As with all things Internet, the commercial benefits and opportunities that IoT devices offer will see vendors rushing products to market before security concerns have been fully addressed. At present, IoT devices lack a common set of compliance requirements, though some organizations are working on various specifications. The Open Interconnect Consortium is defining a connectivity framework that includes consistent implementation of identity, authentication and security controls, while the AllSeen Alliance is working on an open framework to enable activities such as device discovery of adjacent devices, pairing, message routing and security.
IoT is a fast-evolving technology and enterprises need to put security in place from the beginning -- not as an afterthought -- otherwise IoT creates the possibility of attacks on a massive scale.
Ask the Expert:
Perplexed about application security? Send Michael Cobb your questions today. (All questions are anonymous.)
Internet of Things security is ushering in a wave of IoT services
Learn more about IoT security and seven risks to be aware of
Dig Deeper on Internet of Things (IoT) Security Strategy
Related Q&A from Michael Cobb
Sending sensitive information in attachments is inherently unsafe, and the main way to secure them -- encryption -- can be implemented inconsistently... Continue Reading
Spyware can steal mundane information, track a user's every move and everything in between. Read up on the types of spyware and how to best fix ... Continue Reading
Explore the differences between symmetric vs. asymmetric encryption algorithms, including common uses and examples of both, as well as their pros and... Continue Reading