[BreachExchange] What CISOs need to know about securing the Internet of Things (IoT)

[Audrey McNeil]

http://www.itproportal.com/2016/08/12/what-cisos-need-to-
know-about-securing-the-internet-of-things-iot/

The rapid adoption of the Internet of Things (IoT) is hard to ignore:
Gartner estimates a compound annual growth rate of 31.7 per cent until the
end of the decade. This means that, by 2020, 20.8 billion connected things
– excluding PCs, tablets and smartphones, will join the internet. While
it’s easier for organisations to roll out their own IoT services thanks to
new mobile-based IoT platforms, there are not only opportunities arising
from growing IoT, but also new kinds of risks.

Gartner predicts that by 2020 over 25 per cent of identified attacks will
involve the IoT. Unfortunately, awareness of the risks is developing at a
slower pace. To avoid costly headaches later, forward-looking Chief
Information Security Officers (CISOs) should think about what strategies
they need to put in place now to ensure the safety of their customers and
employees. There are a number of points a CISO must consider to develop a
suitable IoT security programme.

Defining customer-facing IoT

Gartner separates customer-facing IoT devices and applications into two
distinct categories: smart devices and dumb devices. These categories
operate in distinctly different ways and require a different approach.

Dumb devices

Dumb devices are simple objects fitted with sensors that can perform and
communicate measurements and functions. These devices are generally
‘always-on’, for example fitness trackers, smart thermostats and some
connected industrial objects. More recent use cases expand this category
with task-specific devices. These are more complex devices to be treated as
‘exceptions’ and include smart glasses for manufacturing or law enforcement.

Dumb devices present risk as they can be used as vulnerable points to gain
access to the wider system. In order to maximise security, organisations
should lock them down t so that they’re only able to perform their
designated functions. This limits the possibility of them being exploited
as backdoor keys into other systems.

Smart devices

The emergence of ‘smart’ connected devices, like the connected car, means
that data loss is no longer the worst outcome of a data breach. Smart
devices can take autonomous action, as well as perform and communicate
measurements. Breaches of these devices can now cause damage to physical
assets and in serious cases injury to individuals, including customers and
employees. For example, last year a major car manufacturer had to recall –
at great expense – more than a million vehicles after one was hacked, with
millions more vehicles needing to be patched for security vulnerabilities
that impacted passenger safety.

Smart devices require a much more adaptive type of trust. Locking down
smart devices limits their functionality. For smart devices, CISOs need
protection that doesn’t inhibit usability.

Traditional trusted computing was a black and white affair. A device was
either trusted or considered compromised based on a number of predefined
properties. This isn’t effective for smart devices because they operate
under varying levels of trust. CISOs can look at Android app permissions
for inspiration. Apps are installed with a minimum set of permissions. If
the user wants to undertake more complex actions, the app may request
further permissions. This allows trust to build on less important actions.

Using data: A common protection

Many dumb and smart IoT use cases will be based on third-party cloud
communications with smart devices, both of which are not under the direct
control of the organisation. One example is a hosted application running on
external cloud services and communicating directly with a customer device.

CISOs should focus on two technology areas to maintain a level of control
without having full access to the communication flows – data-centric
security and behavioural anomaly detection.

Data-centric security solutions provide identity-aware control over
protected information without controlling the network, the device or the
application. An example of this is digital rights management, which
combines encryption with identity. Ultimately, the identity of users and
things will become a central concept in IoT security. Solutions that can
dynamically derive identities from things, and solutions that can
authenticate users based primarily or solely on contextual information will
boost efficiency.

CISOs should also have mechanisms in place that monitor the infrastructure
for any behavioural anomalies. This allows them to identify a potential
problem based on suspicious behaviour, and give their teams time to deal
with any malicious devices. This kind of approach may trigger an alert or
take a direct action based on the severity of the flag.

Lastly, it is paramount that CISOs ensure connected components can be
updated over the air, or are removable and exchangeable with newer ones.

These simple points can provide a framework to tailor an IoT security
strategy to a particular organisation. Understanding how IoT fits into your
organisation is important as its adoption is likely to increase. CISOs who
have the foresight to consider IoT security from the outset will circumvent
avoidable breaches – saving money and time and instilling confidence in
their customers and stakeholders.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160815/59a37f9c/attachment.html>