Blog | January 29th, 2018
IoT in Federal: From Concept to Reality and Risk
The way we reconcile our security concerns with IoT’s inevitable integration will determine whether the revolution upgrades our lives or creates chaos.
Remember when the Internet of Things was more concept than reality? Those days are long gone. Demand for IoT technologies has skyrocketed in the last year, with IHS estimating 20 billion connected devices globally in 2017.
And it’s not just the smart refrigerators and Fitbits and Bluetooth speakers we see at home. IoT technologies have permeated the enterprise as well, with sensors, analytic measurement tools, and VoIP phones appearing, sometimes without the blessing or involvement of IT and security leadership. The infiltration is not unlike what we experienced more than a decade ago when the smartphone initiated a Bring Your Own Device (BYOD) revolution.
Even as Business Insider predicts business spending on IoT solutions to hit $6 trillion by 2021, the rapid adoption of IoT has come, unfortunately, at the expense of security standards. In the first half of 2017, the number of IoT attacks increased by a staggering 280%.
It’s clear that swift action is needed to address the gaping holes in IoT security that could devastate organizations and consumers alike. But with such new and rapidly evolving technology, where do we even begin?
An uphill battle
With billions of IoT devices projected to hit our networks over the next few years, we can’t stop every attack. After all, you can’t be perfect, and you can’t be everywhere. We’ll never be able to stop everything at the first layer, and that’s ok.
So, what do we do? We get even more proactive. We get even more diligent. We move as fast as circumstances allow. Remember the old NSA mantra: defense in depth.
As dry as it sounds, consistently reliable security procedures are a surefire way to prevent the majority of IoT attacks. Since IoT devices often look and feel like ordinary household objects, we may forget or even ignore the reality that they’re connected to our network. But they are, and they demand the same amount of scrutiny as traditional endpoints. It’s cliché, but it bears repeating: an ounce of prevention is worth a pound of cure.
Never take device security as a given. Manufacturers and legislators are not reliable defenders of your data. So, when an organization incorporates smart devices into its network, the same organization bears the responsibility of rolling them out with standardized policies and procedures.
This means rigorous tests to ensure security and safety along with investing in scans that reveal code vulnerabilities. This type of procedure, with a well-executed patching process, will secure devices well before they hit the network.
Separation and visibility
If the first layer is process and procedure, the second is separation and visibility. Think of it as a closed-circuit TV: self-contained and accessible only to those with proper permissions.
We can imitate this for IoT via air gap, effectively isolating IoT systems from public networks. This can be a crucial part of a security solution for networks whose IoT systems serve critical roles. Hospitals, for example, may use network-based technologies to monitor patients and even administer medicine. In this case, an air gap would go a long way to ensure these devices are accessible by proper personnel only.
Another powerful way to increase IoT protection is to invest in visibility tools: software solutions that establish behavior baselines and then provide anomaly detection and an automated response. Firewall and antivirus technologies are highly over-leveraged in the current landscape. While they can help thwart brute force malware attacks, they often stop short of collecting information beyond the signatures of attacks they’re built to defend against.
To effectively keep pace with threats, we need more agile and responsive solutions that allow us to remain well-armed on the subtle fronts of user behavior and file movements.
The visibility and insight this provides will allow for early anomaly detection. Moreover, it can provide IT teams with power and leverage over their virtual environments, helping them overcome the pestering fear of the unknown. With this knowledge and awareness, IoT can be more safely and effectively implemented.
Oddly enough, when evaluating IoT security in the enterprise, a good place to start is at home—not just your home, but every employee’s. Whether it’s a smart refrigerator, internet-connected toys or a tablet, you cannot throw a rock down a modern street today without hitting a home with some sort of smart-home network.
Knowing that, do you trust that every employee within your enterprise has secured their smart-home devices using the same level of scrutiny and vigilance that you expect of devices connected to your network? It’s an important question, considering that many of our smart devices connect not only in the office, but to our home networks as well. That being true, how will you ensure that employees take appropriate measures to secure IoT devices not only at work, but within the confines of their homes?
Every device added to your network is another potential access point for the ill-intentioned. As with all IT, risk is part of the package. But we need to be judicious about our allowance of that risk, and we need to understand how to mitigate unintended consequences.
Miracle or disaster?
IoT arrived in full force much earlier than anticipated. Today, we’ve suddenly been surrounded by devices that make the physical world more connected, more responsive and less secure.
The way we reconcile our security concerns with IoT’s inevitable integration will determine whether the revolution upgrades our lives or creates chaos. How will you prevent the latter?
Pete Burke is security practice lead at Force 3. This article was originally published by www.CSOonline.com.