Security and IoT

The rapid onslaught of IoT devices can indeed help us in our daily lives, by providing connectivity and ‘smart things’ that make life easier. However, as we move into this new phase of technology, there must be a concentrated effort on the security of all the new devices and supporting applications. In the Cybersecurity Sourcebook 2017, from Database Trends and Applications, I wrote the article below, where I explored this topic. And while I can not cover all issues in this one article, I do think it is worth starting as many conversations on the subject, so that we can protect ourselves from cyber security threats. Here is a reprint of my Article from ‘Database Trends and Applications Cybersecurity Sourcebook 2017. You can find the full article and more at dbta.com.

The Internet of Things (IoT) continues to gain momentum. The number of connected IoT devices—from refrigerators to health devices—has been projected to grow at an annual compound rate of 23.1% from 2014 to 2020, reaching 50.1 billion things in 2020, according to recent research. Whether or not the number of devices linked to the internet reaches this lofty number in the next 3 years, it is clear that the growth in sensors and gadgets is explosive. The question is: If devices continue to advance rapidly, then how will all of this data stay protected, private, and secure?

The consumer's’ appetite for easy, always-on, and everywhere access seems to be insatiable. For instance, when a shopper forgets his or her grocery list at home, there is now the ability to virtually check inside their refrigerator to see if they need eggs or milk. This type of IoT device capability is growing faster than expected, which adds pressure on the infrastructure, people, process, and technology that keeps everything functional. The catch is that these new uses of IoT devices are opening up endpoints on networks, which translate to potential security issues—and in some cases, these devices are broadcasting information, providing a prime target for cybercriminals to look for vulnerabilities.

To keep these platforms secure, the brunt of the responsibility will rest on the shoulders of the producers of these “things”—keeping the dynamic data and information that is surging throughout the IoT platforms protected and safe, as well as the physical and virtual infrastructures that house it all. While many are thinking about the associated security risks, most are not aware that technology only solves a portion of this. To ensure IoT data protection, the infrastructure, people, and the process are also important.

There are many risks to consider as pertaining to IoT. In fact, TechRepublic recently reported that more than 90 million cyberattacks are estimated to be registered in 2016, which means 400 hacks every minute. As data travels through a virtual ecosystem, security must extend beyond the device itself. This means that having information and physical security in place, along with the right people and process to monitor and proactively test security, are all critical to maintaining a secure environment. Therefore, there must be layers of protection and controls in place at all levels to separate the “strongest” secure data center from the weaker, or more vulnerable, facilities and systems.

Technology Safeguards for IoT

Network Routes to IoT Management Systems and Devices: The route to the IoT management interface, as well as the devices themselves, could open up additional security vulnerabilities. IoT devices by definition communicate; they either push data upstream to a managed system or may be polled for data. The API’s open ports are all opportunities for malicious hackers to see what protocols are running and potentially expose a weakness.

Social Engineering of Those Who Manage IoT Platforms: In certain cases, the attack can be the result of an innocent-looking request that was sent to a system administrator—who accidentally clicked on it—thereby giving access to the hacker to get into the system.

Updating IoT Device Firmware: It might sound simple, but checking and updating the firmware can keep you one step ahead of those wanting to exploit the IoT devices. If there is an IoT device exploit, the manufacturer will typically identify and fix the issue before a hacker can gain access to your device’s environment.

Default Passwords: One area that most don’t think of is the default password. Devices typically will come with a default password that most think are “non-threatening”—meaning those that don’t hold sensitive, detailed information—such as a home’s smart thermostat. However, that may not be the case, given that these devices might have a way to communicate back to the IoT management platform.

Back to Basics: The concept of putting a device on a network isn’t necessarily a new idea—developers have been solving this design challenge for years. Recall that software architectures have evolved and changed. For example, think about the many various software architectures we have seen over the last 25 years such as standalone, fat clients, client-server, thin clients, and now device-to-server. By going back to the basic security tenets we use for other platforms, this also applies to the IoT platforms.

Ask Questions of Your IoT Vendor: In many cases, this means that we need to ask all the questions that we asked with the prior platform architectures and also “test” for vulnerabilities. These include: How does the device capture, store, and transmit data? Is the device data encrypted? Is the data on the device pushed or pulled to the IoT management interfaces?

Infrastructure + People + Process

The physical security features of a data center facility, such as doors, cameras, and sign-in sheets, are critical, but these measures alone can be compromised. This is why there must be properly trained staff and controls in place to maintain a secure data center that will support all of these platforms. All data center employees must conduct annual security awareness training—so that they can be up-to-date with the latest threats and potential issues.

Training of people must go beyond just those who manage the data center. It’s important to make everyone—from operations, IT, even sales and marketing—who has access to the data center aware of these security risks and what it means to them. Any employee who lets in a tailgater can compromise the infrastructure, people, and process. It’s pivotal to train staff on the IoT platforms so that they get an appreciation for the technology aspect—having a solid understanding will give a better idea with regards to what they should be looking for.

These lingering threats require active measures. You’ll see information security standards such as ISO 27001 becoming more prevalent to ensure that there is more in place than just tools. This certification is an excellent example of engaging the whole company in security and compliance initiatives and ensuring that additional controls are in place to help test the overall effectiveness of their information security management system (ISMS).

Infrastructure, people, process, and technology are key areas of focus that can bolster the security within the data centers that hold the IoT data. But let us not forget about some of the other risk factors when it comes to IoT.

IoT is changing the way we think about devices and applications. It’s forcing more and more devices to interface with one another on a common network (i.e., the internet). Putting a device on a network certainly isn’t a novel concept—and in many cases, having preventative measures in place can help if there is a massive infusion of devices on a common network that may open the door to a whole new set of opportunities for hackers and exposures never before contemplated. Many of these devices are built and managed by companies and people who put functionality as the top priority as opposed to security.

What’s Ahead

Companies need to take a proactive approach to IoT security to determine that they have the proper controls and policies in place. Policies are there to protect the business, to help make sure everything is in order and “working as normal” so that clients within the data center can rest assured that the infrastructure, people, process, and technology are in place to support the platforms. Security procedures, such as incident response, disaster recovery, and business continuity plans, should be a top priority for businesses dealing with the heavy loads of IoT data.

While these new devices are designed to make our lives easier, there is always the threat that social engineering or not asking the right questions can lead to IoT device vulnerabilities that could be used as a launch pad for doing harm. These are just a few thoughts that need to be considered when it comes to IoT security risks.

John M. Hawkins, vice president at vXchnge, is an author, speaker, writer, strategist, and technologist, with more than 20 years in business as a consultant to Fortune 25-500+ companies. Previously, Hawkins was a senior director for RiverMeadow, a Silicon Valley-based SaaS company, where he was instrumental in helping to define cloud mobility and providing services to large cloud providers.

In addition to my article, there are lots of other great conversations on Security in this cookbook. You can find this article and more at from Database Trends & Applications, download the full article “Cybersecurity Sourcebook 2017”: At dbta.com, https://www.dbta.com/DBTA-Downloads/WhitePapers/Cybersecurity-Sourcebook-2017-7145.aspx