The Internet of Things Is Watching
Those words conjure thoughts of posters that wouldn’t be out of place in George Orwell’s Oceania. And while you may think that’s being overly dramatic, there are real concerns that the Internet of Things (IoT) could pose a huge security concern.
A recent buzzword in the world of technology, IoT is an evolving concept that refers to an Internet-like structure that connects uniquely identifiable objects — basically anything that can be tagged with an identifying chip.
The IoT may be in its infancy in terms of broad consumer use, but for companies worldwide, it’s an irresistible market with trillion-dollar potential. Analysts believe that companies such as Apple and Google jumping into this space will not only speed up adoption of smart home devices, but also boost the perception that “Smart Tech” is secure. In a recent survey, ISACA found that 48 percent of the IT professionals surveyed believe that, for consumers, the benefit of the Internet of Things outweighs the risk. But do they really understand the kind of risks the IoT might pose?
Think It’s All Safe? Think Again
Enterprises, particularly in developed markets, have long been using Internet-connected devices for various operational purposes. Recent research discovered that there were about 55,000 heating, ventilation and air-conditioning (HVAC) systems connected to the Internet throughout the past two years. The research also found that most of these systems have flaws that can be easily exploited by hackers. As Target discovered, hackers can steal login credentials belonging to a company that provides the HVAC services and use that access to gain a foothold on the company’s payment systems.
More than 24 billion devices will soon be connected 24/7 to the Internet and, with the innovation of sensors and the ability to connect things (cars, fridges, medical tools, homes), a considerable amount of data will be generated about our behavior, locations, health, Web searches and so on. For makers of these “things,” solving the security challenges is as important for their consumers as it is for themselves.
Car manufacturers in the U.S. are now permitted to install up to 50 electronic control units, often controlled through their own network. Cars already have location-based browser or embedded information systems. If an auto manufacturer owns data collected by a vehicle, there are a number questions to address: Will it require consent to collect this data from the vehicle owner? Will users be required to provide consent for data generated while they are driving? What happens if the manufacturer’s network is attacked by someone outside the company or an employee who has privileged access?
Mobile devices will soon include platforms that will make them centralized, connected smart home devices. You can turn lights on, manage connected appliances at home and even control your security systems through your device. What happens if the device is broken, damaged, hacked into or sold to someone else?
IP-based cameras have been found to be ridiculously easy to attack. The BBC recently reported that the video feeds from thousands of Trendnet home security cameras have been freely available without a password. Forbes recently carried a worrisome story of baby monitors manufactured by a Chinese firm called Foscam being hacked. Lawyers, civil liberty groups and horrified parents alike asked questions: Could Trendnet have been more proactive by updating its firmware and remotely disabling feeds once it learned about the exploit? Couldn’t Foscam safeguard access to surveillance devices through appropriate controls? Can an employee or ex-employee with the addresses of the houses scout homes and rob them when the coast is clear?
Problems? Or Opportunities?
The big problem with the Internet of Things is that organizations with no experience or expertise in IT security are jumping into this space by simply adding connectivity to their devices. Early research has revealed that poor authentication is a common weakness in typical IP-connected IoT devices such as smart light bulbs, IP cameras, network attached storage (NAS) and wireless printers.
Leading security evangelists argue that, though the scale of the IoT security challenge is huge, the nascent nature of this phenomenon gives us an opportunity to really get it right from the outset. Companies making connected devices can build security mechanisms to account for potential intrusive attacks right at the design and planning stages.
Avoid the R-IOT: Be Threat-Aware
Safeguard Mobile, Cloud and Social Access
Companies need to move away from the classic, perimeter-based “castle defense” toward a more risk-based or threat-aware identity and access management (IAM) approach. Your IAM solution needs to be intelligent enough to evaluate different circumstances in which people seek entry to systems and make the best judgment — for example, using adaptive and two-factor authentication when a user logs in from an atypical device, environment or platform.
Prevent Insider Threats
Companies handling or owning data have an imperative to trust but relentlessly verify the entitlements of their own employees who access data. It is critical to confirm, validate and authenticate identities; discover who is doing what on systems; and block unauthorized access and actions before damage occurs.
Simple and Flexible Identity Infrastructure
In the world of IoT, the concept of identity might also include relationships and places, allowing access to a device only if the accessing user or device is in a certain location. Each device takes on a contextual identity with relationships and authorization decisions to manage. As identity silos proliferate, it is imperative to gain visibility and control of access rights of users and devices with the right solution.
Deliver Actionable Intelligence
Enterprises often grant remote access rights to software, hardware and numerous other vendors and external third parties. Many companies might routinely log remote access sessions, but few have capabilities to audit the access from a security standpoint. To help monitor user or device behavior and entitlements, administrators should analyze actions to discover — and fix — anomalies as well as prevent malicious activities in the future.
Traditional IAM solutions might not be able to fully address identity and access needs in the IOT. However, there has been initial consensus that integrated, risk-based, forward-looking IAM software will be key to solving complex IoT issues such as data ownership, consent, identity discovery and identity impersonation.
To learn more about securing IoT devices, download a complimentary copy of the Ponemon Institute’s 2017 State of Mobile & IoT Application Security Study.