Internet of Things: Who should be watching over it?
- 15 February, 2017 10:53
Australia is no stranger to cyber security attacks and breaches across businesses and government organisations. The big four banks across Australia along with companies like David Jones and Kmart have all encountered some form of security compromise over the last few years.
In fact, this year’s Telstra Cyber Security Report revealed 23.7 percent of Australian organisations detected a security breach that caused business to be interrupted every month, more than twice as often as 2014. As enterprises become more interconnected across devices, the Internet of Things (IoT) has become an integral part of securing critical infrastructure.
Some victims go for extended periods of time before realising that their devices have been compromised and by then the hackers have already disrupted online services and impacted millions of people. This begs the question of who is responsible for making sure these devices are secure?
Who’s Responsible for the IoT?
The number of internet-connected devices is growing rapidly and expected to reach 50 billion by 2020. This opens things up for great leaps in technology and innovation. This opens things up for great leaps in technology and innovation. The potential for cyber threats also greatly increases.
Poor habits in security practices such as weak default passwords in hardware that can never be updated are just one way cybercriminals can gain access to the infrastructure and will have an even greater impact as IoT becomes more of a necessity.
Securing devices while in development requires forethought. Bypassing this process has the potential to cost enterprises far more if they are breached, erode the trust of the vendors' customers, and ultimately impact the revenue of the manufacturer. To keep pace, IoT manufacturers should take responsibility for the security of their devices and organisations who place devices on their networks need to be sure the environment is secure.
Vendors should be responsible for securing their technology. The administrators of the environment the devices are deployed in should be responsible for the security of their environment. Device manufacturers should assume they are being deployed in a hostile environment and the administrators should assume that the devices themselves are hostile.
IoT manufacturers and enterprises introducing connected technologies into their environments should think about security from a holistic perspective, understanding what capabilities are needed before deployment, during an attack, and post-compromise.
Security Before Deployment
Prior to deployment, reduce the attack aperture by designing patterns that minimise trust boundaries. It is also good to start introducing strong security hygiene habits. These can include isolating solutions when possible and becoming a trust zone in an untrusted environment, modelling the behaviour of the system and understanding deviations, allowing your customer to enhance security, and understanding the adversaries’ focus and threat model.
It is also a positive idea to authenticate, authorise and audit. Only give users access to information and resources that they need and employ defensive programming. Regardless of circumstance, work on the assumption that all input is malicious.
Defence During an Engagement
During engagements it is critical to use encryption at rest and in flight, protecting the keys at all times. Say “NO” to custom crypto - even when done correctly it can still leave businesses with a false sense of security. Businesses should also be able to push out updates to deployable devices in the field securely.
Be Ready to Remediate Post-Compromise
After being compromised be sure the capabilities are there to get devices back to a trusted state. Be in a position to determine the cause of the attack. Cultivate a method for fixing the issue in a development process before deployment.
As IoT technology grows and more people connect their personal as well as their professional lives to a network the risk for cybercrime such as ransomware can become a reality. Personal computers, laptops, and smartphones are not the only devices hackers are targeting.
Thermostats, televisions, MRI machines, and even pacemakers amongst other devices that are connected to the network can have serious implications should they be compromised. As these risks continue to impact more and more people, the demand for strong security will grow. Now is the time for the industry to self-regulate by adopting strong security practices that will help businesses and individuals avoid costly and potentially dangerous compromises.
Jon R. Ramsey is Chief Technology Officer at SecureWorks