Qualys Blog

www.qualys.com

Enterprise IoT Risk Is Getting Real

There’s lots of fear, uncertainty and doubt (FUD) concerning security and the Internet of Things. But for enterprises, IoT risk is no joke – and may have already arrived.

The “Internet of Things” (IoT) is everywhere in the news these days. The buzzword-to-beat-all-buzzwords, “IoT” encompasses everything from Internet-connected egg trays and driverless cars to smart manufacturing and smart infrastructure. Under the covers, the constituent elements of IoT – things like remote sensing, mobile technology, cloud computing, SaaS and ‘big data’ – are hardly new. Still, the confluence of all these technologies is new, and it’s fueling a lot of innovation. It’s no exaggeration to say that we stand on the cusp of a rapid expansion of connected “stuff” in our daily lives, as smart home products hit the market and smart city projects allow strapped federal, state and local governments to realize huge  savings.

panelBut what about security? Numerous surveys name security and privacy as the top concerns about the Internet of Things and – possibly – obstacles to the adoption of IoT technologies. (Those surveys include, just this week, a poll of attendees at the Internet of Things World Forum in Chicago that named “security” as the paramount concern of attendees.) Specifically: CxOs and information technology teams are concerned about the ways in which unconstrained adoption of IoT technologies might undermine other security and risk management initiatives – tipping over an already precarious apple cart.

According to an expert panel at Qualys Security Conference, QSC14, in Las Vegas this week, those fears are not unfounded. In fact: the time to start thinking hard about your IoT risk may have already arrived.

Speaking as part of the panel “Refrigerator Spam and other Tall Tales” on Thursday evening, Danny McPherson, the Senior Vice President and Chief Security Officer at VeriSign said that IoT-related risks have already arrived in enterprises. McPherson said his staff is on guard for devices like flat screen TVs that employees bring in to the office. While employees don’t think about them as traditional “endpoints,” they are, said McPherson, who notes that most late model TVs are simply PCs by a different name, with an operating system (typically Linux), full networking stacks including wireless access and application ecosystems, he said.

Fellow panelist Chuka Eze of Xipiter, a security consultancy that specializes in testing of embedded devices, noted that enterprises would do well to be wary of IoT products. Connected devices are pouring out of crowd-funded efforts on sites like Kickstarter and Indiegogo, where the emphasis is on feature development and quick time to market. No surprise: security is often an afterthought, Eze said. Consumer IoT devices are often cobbled together using open source software and commercial off the shelf hardware. Those components often contain exploitable vulnerabilities (as the recent string of vulnerabilities in SSL and Bash prove). Beyond that, the products are often deployed in an insecure manner, with services like FTP readily exposed, Eze warned the audience.

At a minimum, enterprises should pay close attention to technology and devices that are brought into an organization by way of third party contractors. Noting the recent breach of retailer Target, Eze warned that HVAC and building automation systems are a good example of an “IoT” story that involves real enterprise risk. Environmental, physical access and surveillance systems these days are likely to sport remote access capabilities and web-based management interfaces. Too often, those systems are deployed and managed  by third party contractors who aren’t accountable to IT. Indeed: the information technology group may not have any visibility into these systems, which are often deployed with factory default settings such as default administrator account names and passwords. That makes them easy pickings for both sophisticated and unsophisticated hackers, he said. And – in many cases sanctioned or unsanctioned links exist between those third party networks and protected, corporate networks. Those links can be exploited as part of a larger attack, such as the compromise at Target, Eze said.

With enterprise IT groups already struggling (often unsuccessfully) to stop breaches or contain their damage, a huge expansion in the number of endpoints joining enterprise networks poses a real concern, McPherson said.

What’s to be done? A lot of the things you’re already doing, said Jonathan Trull, Qualys’s Chief Information Security Officer. Trull noted that securing Internet of Things technologies doesn’t require organizations to re-write the book on enterprise security. Traditional “layered” defense works as well in the IoT context as they do in the traditional IT context. Similarly, many existing IT security processes and tools are relevant to future environments that will contain both traditional IT and IoT assets. But those tools will have to scale up to the challenge of IoT networks, he said.

But the adoption of IoT technologies – planned or otherwise – will challenge organizations mightily to keep track of their IT assets. Trull, who was the CISO of the State of Colorado, said that connected and “smart” devices are often too easy to deploy – and then forget. Enterprise IT groups will need clear policies that govern what kinds of connected devices can get access to their network. They will also need to be able to actively manage those devices as they do other kinds of endpoints: monitoring for vulnerabilities and suspicious activity and, when necessary, pushing patches or firmware updates to them. IoT devices that haven’t been designed to make tasks like that possible, or that have such an uncertain provenance that their integrity can’t be verified will need to be identified and shut out of sensitive networks and environments, Trull said.

Leave a Reply