At the recent ISSA International Conference in Dallas, SearchCompliance editor Ben Cole met with conference speakers to discuss the modern data security threats and how it is influencing information security's business role. In this Q&A, David Dufour, senior director of security architecture at Webroot, discusses the biggest threats to IoT data security and why protecting IoT gateways relies on building a "supply chain of trust" between users and developers of connected devices.
What are the new cybersecurity threats created by the increased business use of IoT?
David Dufour: A lot of the threats are around education. We're reliving 10 years ago, when people would bring devices in to work and the IS teams didn't know how to secure those devices. A lot of these IoT devices don't have built-in security. They're transmitting data in the clear, they're transmitting usernames and passwords, or Wi-Fi passwords in the clear. There's a lot of security basics that we need to take a look at, whether it's preventing those things from getting on an enterprise network or getting vendors to start providing tighter security around those devices as we bring them in to the enterprise. Outside of business, it's a little tougher to lock down because consumers are going to use what they want, how they want, when they want, until they realize how susceptible these devices are to attacks.
How do you get consumers to realize that they're the first line of defense when it comes to protecting their information?
Dufour: That's the billion-dollar question. A lot of it boils down to people's private info getting out there and then all of a sudden they realize, 'wait a minute, I need to do something about this.' I think you saw a lot of that when Facebook started. People just put everything out there, then they realized it affected them getting jobs and things like that, and now they're a little tighter about what they put out there. I think some bad things will have to happen first, but I don't think they'll be as bad as people dying because of a pacemaker getting hacked or something. It will be more embarrassing, then someone will come up with some fairly inexpensive ways to apply some basic security methodologies and it will sort of evolve. But right now, it's kind of the Wild West.
What are some of the IoT data security challenges of protecting information that is generated and stored on connected devices?
Dufour: They're kind of in two areas. One, as we were just talking about, is private information such as heart rate monitors or, where you walk every day. Why is that important? Well, somebody could figure out where you go or where you've been. Maybe for most of us that doesn't matter, but maybe you have a jealous significant other and it could create headaches. A lot of hackers aren't going to care about that type of information because they're in it for the money, not just for figuring out who you are. It could provide security concerns for some people from a safety perspective, and privacy. Maybe some types of devices that are used by doctors get hacked because there's improper security, and you could find out medical information or things people don't want out there. That's one area: private data.
The other is that a lot of these devices store information that would allow a nefarious actor to gain access to other systems. That's probably the bigger concern in the short term because, again, nobody cares if your Fitbit showed that you walked around the block six times. Not a lot of hackers care about that. What they care about is if there's some way to get into an IoT device, gain access to a network through an SSID that's in clear-text and then use it to gain access to other systems that they think can really do damage on.
What are some cybersecurity technologies available to device and application manufacturers, and how do these technologies relate to one another?
Dufour: I just finished giving a presentation on securing IoT gateways, and the biggest drum I can beat right now is being very conscious of what's called the 'supply chain of trust.' The supply chain of trust is knowing where you're sourcing software or hardware if you're a manufacturer, and understanding the security inside of whatever it is you're sourcing. A lot of problems with IoT stem from people not knowing that if I put a wireless card on this device, it's storing that wireless info in a format that a hacker can get into and it's also opening up ports that a hacker knows they can use to get into that device and see that information. A lot of it is understanding what you're using as an enterprise or a business, where it's coming from, and the security stance of those people.
I know that's kind of a long answer, but spend time on and look at that supply chain of trust. That's really, right now, the biggest problem because people are racing to get products out the door and they're not taking the time to understand. They might be securing their product, but they might be using sourced solutions from other vendors that aren't secure.
Do you think that business use of IoT will continue to be a major issue in the coming years as the amount of IoT generated data continues to proliferate? Or do you think companies will catch up and start to implement effective IoT data security practices?
Dufour: It's going to be a problem for a while. None of us knew what the initial problems would be. We all knew problems were coming, and now here in 2016 we are seeing lots of DDoS attacks. Right now, nobody is using data from IoT or information from hacking IoT devices to get in to other systems because they just haven't figured out how to make money or how to steal things of value. But as that becomes more viable, then I think we'll see a lot of different attacks in the IoT space that no one's thought of today. So, the short answer is yes, it's going to become a bigger problem.