Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
I N F O R M A T I O N
ECURITY
S
EDITORS DESK:
INTERNET OF
THINGS AND
SECURITY
Insider Edition
IS YOUR SECURITY
PROGRAM READY
FOR THE INTERNET
OF THINGS?
WHOS IN CHARGE
HERE? SECURING
THE INTERNET
OF THINGS
E D IT O R S D E S K
HOME
EDITORS DESK
SEVEN IOT RISKS
YOU MUST CONSIDER
IS YOUR SECURITY
PROGRAM READY
FOR THE INTERNET
OF THINGS?
WHOS IN CHARGE HERE?
SECURING THE
INTERNET OF THINGS
While connecting billions of new devices to the Internet offers many advantages,
organizations must also manage the risks involved. BY BRANDAN BLEVINS
enterprise IoT risks today, some of which will look familiar on first glance: DDoS attacks, patch management challenges and traffic analytics. The nature and number of IoT
devices puts a twist on those risks, though.
In the other features, we explore some of the challenges associated with securing IoT devices. Experts say the
devices may not have the processing power to run security
software, while debate also remains over which party is
even responsible for securing the Internet of Things.
Numerous enterprises may see IoT as a potential gold
rush, but security cant be ignored. This Insider Edition
will help enterprises achieve the benefits associated with
the Internet of Things while containing the risk. n
Media Group
AUGUST 2014
HOME
EDITORS DESK
SEVEN IOT RISKS
YOU MUST CONSIDER
IS YOUR SECURITY
PROGRAM READY
FOR THE INTERNET
OF THINGS?
WHOS IN CHARGE HERE?
SECURING THE
INTERNET OF THINGS
By Ajay Kumar
AUGUST 2014
HOME
EDITORS DESK
SEVEN IOT RISKS
YOU MUST CONSIDER
IS YOUR SECURITY
PROGRAM READY
FOR THE INTERNET
OF THINGS?
WHOS IN CHARGE HERE?
SECURING THE
INTERNET OF THINGS
often not designed with security as a primary consideration,vulnerabilities are presentin virtually all of them
just look at the amount ofmalwarethat is targeting
Android-based devices today. Similar threats will likely
proliferate among IoT devices as they catch on.
Enterprises and users alike must be prepared for the
numerousissues of IoT. Listed below are seven of the
many risks that are inherent in an Internet of Things
world, as well as suggestions to help organizations prepare for the challenge.
DISRUPTION AND
DENIAL-OF-SERVICE ATTACKS
Ensuring continuous availability of IoT-based
devices is important to avoid potential operational failures and interruptions to enterprise services.
Even the seemingly simple process of adding new endpoints into the networkparticularly automated devices
that work under the principle of machine-to-machine
communications like those that help run power stations
or build environmental controlsrequires businesses to
focus attention on physical attacks on the devices in remote locations. As a result, the business must strengthen
physical security to prevent unauthorized access to devices outside of the security perimeter.
Disruptive cyberattacks, such asdistributed denial-ofservice attacks, could have new detrimental consequences
for an enterprise. If thousands of IoT devices try to access
AUGUST 2014
HOME
EDITORS DESK
SEVEN IOT RISKS
YOU MUST CONSIDER
IS YOUR SECURITY
PROGRAM READY
FOR THE INTERNET
OF THINGS?
WHOS IN CHARGE HERE?
SECURING THE
INTERNET OF THINGS
a corporate website or data feed that isnt available, formerly happy customers will become frustrated, resulting
in revenue loss, customer dissatisfaction and potentially
poor reception in the market.
Many of the challenges inherent to IoT are similar to
those found in a bring your own deviceenvironment. Capabilities for managing lost or stolen deviceseither remote wiping or at least disabling their connectivityare
critical for dealing with compromised IoT devices. Having this enterprise strategy in place helps mitigate the
risks of corporate data ending up in the wrong hands.
Other policies that help manage BYOD could also be
beneficial.
devices must be designed with security in mind, and incorporate security controls, using a pre-built role-based
security model. Because these devices have hardware,
platforms and software that enterprises may never have
seen before, the types of vulnerabilities may be unlike
anything organizations have dealt with previously. Its
critical not to underestimate the elevated risk many IoT
devices may pose.
UNDERSTANDING THE
COMPLEXITY OF VULNERABILITIES
Last year, an unknown attacker used a known
vulnerability in a popular Web-connected baby
monitor tospy on a two-year-old. This eye-opening incident goes to show what a high risk the IoT poses to
enterprises and consumers alike. In a more dramatic example, imagine using an IoT device like a simple thermostat to manipulate temperature readings at a nuclear
power plant. If attackers compromise the device, the consequences could be devastating. Understanding where
vulnerabilities fall on the complexity meterand how
serious of a threat they poseis going to become a huge
dilemma. To mitigate the risk, any project involving IoT
AUGUST 2014
HOME
EDITORS DESK
SEVEN IOT RISKS
YOU MUST CONSIDER
IS YOUR SECURITY
PROGRAM READY
FOR THE INTERNET
OF THINGS?
WHOS IN CHARGE HERE?
SECURING THE
INTERNET OF THINGS
Internet-connected devices, and then implementing effective controls. Given the diversity that exists among
these devices, organizations should conduct customized
risk assessments to identify the dangers and determine
how best to contain them.
An interesting recent example was the case of former
Vice President Dick Cheneydisabling the remote connectivity of a defibrillatorimplanted in his chest. Unfortunately most enterprises dont have the luxury of taking
these devices offline. In any event, organizations that
embrace IoT must define their own information security
controls to ensure the acceptable and adequate protection
of the IoT evolution. As the trend matures, best practices
will certainly emerge from industry professionals.
IDENTIFYING, IMPLEMENTING
SECURITY CONTROLS
In the IT world, redundancy is critical; should
one product fail, another is there to take over.
The concept of layered security works similarly, but it remains to be seen how well enterprises can layer security
and redundancy to manage IoT risk. For example, in the
healthcare industry, medical devices are available that not
only monitor patients health statuses, but also dispense
medicine based on analysis these devices perform. Its
easy to imagine how tragic consequences could result if
these devices became compromised.
The challenges for enterprises lie in identifying where
security controls are needed for this emerging breed of
AUGUST 2014
HOME
EDITORS DESK
SEVEN IOT RISKS
YOU MUST CONSIDER
IS YOUR SECURITY
PROGRAM READY
FOR THE INTERNET
OF THINGS?
WHOS IN CHARGE HERE?
SECURING THE
INTERNET OF THINGS
MODULAR HARDWARE
AND SOFTWARE COMPONENTS
Security should be considered and implemented in every aspect of IoT to better control
the parts and modules of Internet-connected devices.
Because attackers often exploit vulnerabilities in IoT
devices after they have been implemented, organizations
should consider a security paradigm like the Forrester
Zero Trust modelfor these devices.
Where possible, enterprises should proactively set
the stage by isolating these devices to their own network
segment or VLAN. Additionally, technologies such as
micro-kernels orhypervisorscan be used with embedded
systems to isolate the systems in the event of a security
breach.
CONCLUSION
The Internet of Things has great potential for the consumer as well as for enterprises, but not without risk.
Information security organizations must begin preparations to transition from securing PCs, servers, mobile
devices and traditional IT infrastructure, to managing a
much broader set of interconnected items incorporating
wearable devices, sensors and technology we cant even
foresee currently. Enterprise security teams should take
RAPID DEMAND IN
BANDWIDTH REQUIREMENT
A Palo Alto Networks Inc. study revealed
that between November 2011 and May 2012,
network traffic jumped 700%on networks the vendor
AUGUST 2014
HOME
EDITORS DESK
SEVEN IOT RISKS
YOU MUST CONSIDER
IS YOUR SECURITY
PROGRAM READY
FOR THE INTERNET
OF THINGS?
AUGUST 2014
READY?
HOME
EDITORS DESK
SEVEN IOT RISKS
YOU MUST CONSIDER
IS YOUR SECURITY
PROGRAM READY
FOR THE INTERNET
OF THINGS?
WHOS IN CHARGE HERE?
SECURING THE
INTERNET OF THINGS
IS YOUR
SECURITY
PROGRAM
READY FOR
THE INTERNET
OF THINGS?
coffeemakers. Its about an entirely new frontier of networked devices that affect enterprise security both directly and indirectly. One of the recent discussion points
has been around whether or not the average corporate
network can even handle the Internet of Things bandwidth requirements. Its certainly something to be thinking about, but it seems moot when you consider the
potential for the inevitable security headaches.
Enterprises have enough trouble keeping up with the
security of their traditional network systems. Many people struggle with knowing where their systems, and especially their sensitive data, are located. Others have no
clear picture of their current security posture or whats
taking place on the network at any given moment. No
doubt, the largest group consists of IT and security staff
who struggle to getand keepmanagement and their
general user base on board with security. With the Internet of Things, these issues become even more of a
challenge. I suspect were going to experience a side of security we never anticipated.
By Kevin Beaver
AUGUST 2014
READY?
HOME
EDITORS DESK
SEVEN IOT RISKS
YOU MUST CONSIDER
IS YOUR SECURITY
PROGRAM READY
FOR THE INTERNET
OF THINGS?
WHOS IN CHARGE HERE?
SECURING THE
INTERNET OF THINGS
Since the beginning of my career in information security, Ive worked by the mantra that if a system has an IP
address or a URL and it touches the business network or
processes sensitive information in any way, then its fair
game for attack. It should also be fair game to fall within
the scope of existing security management programs.
Similar to mobile devices, instant messaging, social media usage and the like, were not going to stop the Internet of Things from growing. It has to be front and center
in your security discussions.
You wont have to start from scratch. Your existing policies around passwords, patching, system monitoring will
likely suffice. The important thing is to ensure that the
Internet of Things falls within the scope of each of these
AUGUST 2014
READY?
HOME
EDITORS DESK
SEVEN IOT RISKS
YOU MUST CONSIDER
IS YOUR SECURITY
PROGRAM READY
FOR THE INTERNET
OF THINGS?
WHOS IN CHARGE HERE?
SECURING THE
INTERNET OF THINGS
I dont typically buy into the marketing hype associated with emerging areas of IT, such as the cloud and big
data, but there is something to be said about the Internet
of Things. The term is a bit jargon-ish but the business
consequences are real. Cisco estimates that the Internet of Things will grow to 50 billion devices by 2020.
That represents a significant number of systems that
will somehow need your attention. These devices could
open up backdoors into your network. They can facilitate
malware propagation. They can end up storing sensitive
business information. They can lead to denial-of-service
conditions. Is your business prepared? Are you going to
be able to justify taking time away from the things youre
currently doing to tend to this new realm of systems invading your network?
Complexity is one of the largest barriers to effective
security, and the Internet of Things is no doubt going to
increase that exponentially for organizations both large
AUGUST 2014
RESPONSIBILITY
HOME
EDITORS DESK
SEVEN IOT RISKS
YOU MUST CONSIDER
IS YOUR SECURITY
PROGRAM READY
FOR THE INTERNET
OF THINGS?
WHOS IN CHARGE HERE?
SECURING THE
INTERNET OF THINGS
WHOS IN
CHARGE HERE?
SECURING
THE INTERNET
OF THINGS
dollar business opportunity, but its also a potential disaster for privacy and safety. Before we connect everything aroundus to the Internet, we need to think about
security.
Internet of Things securityis difficult to discuss because the concept is so immense. When you make everything IP-connected, how do you lock all of that down?
Cars, cows, oil rigs, medical devices, refrigerators. There
is no perimeter that can encircle all of that.
The challenge we have is that each of those areas is
really pretty separate, said Bret Hartman. The technologies working in those areas tend to focus specifically on
their own area. Its not going to be one-size-fits-all for
[Internet of Things] security.
Companies and individuals will also find that they lose
a lot of control over where their data is and where it is going. When consumerization struck the enterprise, power
and control over data and connectivity shifted from IT to
the user. IT is still adapting to that shock. Now another
shift is coming.
By Shamus McGillicuddy
AUGUST 2014
RESPONSIBILITY
HOME
EDITORS DESK
SEVEN IOT RISKS
YOU MUST CONSIDER
IS YOUR SECURITY
PROGRAM READY
FOR THE INTERNET
OF THINGS?
WHOS IN CHARGE HERE?
SECURING THE
INTERNET OF THINGS
AUGUST 2014
RESPONSIBILITY
HOME
EDITORS DESK
SEVEN IOT RISKS
YOU MUST CONSIDER
IS YOUR SECURITY
PROGRAM READY
FOR THE INTERNET
OF THINGS?
WHOS IN CHARGE HERE?
SECURING THE
INTERNET OF THINGS
You can control and limit the traffic that goes among
these [robots].
Internet of Things security will also require encryption key management infrastructure and identity management systems that can scale into the billions, said Earl
Perkins, research vice president for Stamford, Connecticut-based Gartner Inc.
Well have to figure out a way to protect data in an
environment like this, whether its on [an] Internet of
Things thing or in an intermediate location, he said.
Well have to revamp the way we look at encryption key
management and identity management. Well have to
combine capabilities from identity management and asset management, because [people] are going to become
[their own] personal cloud networks. The Internet of
Things that you carry on your person and that you have at
home are like a cloud of devices that surround you. You
have an identity and the things have identity, but how do
you keep [up] with the relationships between you and the
identity of those things?
The Internet of Things will also require a sophisticated approach torisk management. Not all of the devices
on the Internet of Things will be new. Organizations are
strapping IP connections onto legacy devices and systems
AUGUST 2014
HOME
EDITORS DESK
SEVEN IOT RISKS
YOU MUST CONSIDER
IS YOUR SECURITY
PROGRAM READY
FOR THE INTERNET
OF THINGS?
WHOS IN CHARGE HERE?
SECURING THE
INTERNET OF THINGS
EDITORIAL DIRECTOR
Robert Richardson
EXECUTIVE EDITOR
Eric Parizo
FEATURES EDITOR
Kathleen Richards
Brandan Blevins
Kara Gattine
EDITORIAL BOARD
Brenda L. Horrigan
Linda Koury
Kevin Beaver, Crystal Bedell, Mike Chapple, Michele Chubirka, Michael Cobb, Scott Crawford, Peter
Giannoulis, Francoise Gilbert, Joseph Granneman, Ernest N.
Hayden, David Jacobs, Nick Lewis, Kevin McDonald, Sandra
Kay Miller, Ed Moyle, Lisa Phifer, Ben Rothke, Mike Rothman,
Karen Scarfone, Dave Shackleford, Joel Snyder, Steven Weil,
Ravila Helen White, Lenny Zeltser
TechTarget
275 Grove Street,
Newton, MA 02466
www.techtarget.com
CONTRIBUTING EDITORS
dolender@techtarget.com.
Doug Olender
2014 TechTarget Inc. No part of this publication may be transmitted or reproduced in any form or byany means without written
permission from the publisher. TechTarget reprints are available through The YGS Group.
About TechTarget: TechTarget publishes media for information technology professionals. More than 100 focused websites enable
quick access to a deep store of news, advice and analysis about the technologies, products and processes crucial to your job. Our
live and virtual events give you direct access to independent expert commentary and advice. At IT Knowledge Exchange, our social
community, you can get advice and share solutions with peers and experts.
AUGUST 2014