AUGUST 2014

I N F O R M A T I O N

ECURITY
S

EDITORS DESK:
INTERNET OF
THINGS AND
SECURITY

Insider Edition

SECURING THE INTERNET OF THINGS

The emerging Internet of Things raises new security concerns and
puts a spin on old ones. In this Insider Edition, InfoSec pros find out how
to assess IoT risks and create an effective IoT security policy.

IS YOUR SECURITY
PROGRAM READY
FOR THE INTERNET
OF THINGS?

WHOS IN CHARGE
HERE? SECURING
THE INTERNET
OF THINGS

E D IT O R S D E S K

HOME
EDITORS DESK
SEVEN IOT RISKS
YOU MUST CONSIDER
IS YOUR SECURITY
PROGRAM READY
FOR THE INTERNET
OF THINGS?
WHOS IN CHARGE HERE?
SECURING THE
INTERNET OF THINGS

The Benefits of the Internet of Things

Cant Overshadow Security Concerns

While connecting billions of new devices to the Internet offers many advantages,
organizations must also manage the risks involved. BY BRANDAN BLEVINS

Y 2015, CISCO predicts that around 25 bil-

enterprise IoT risks today, some of which will look familiar on first glance: DDoS attacks, patch management challenges and traffic analytics. The nature and number of IoT
devices puts a twist on those risks, though.
In the other features, we explore some of the challenges associated with securing IoT devices. Experts say the
devices may not have the processing power to run security
software, while debate also remains over which party is
even responsible for securing the Internet of Things.
Numerous enterprises may see IoT as a potential gold
rush, but security cant be ignored. This Insider Edition
will help enterprises achieve the benefits associated with
the Internet of Things while containing the risk. n

lion devices will be connected to the

Internet. That number is expected to
double by 2020. This web of Internetconnected devices, dubbed the Internet of Things, has been touted by tech giants as a way to
efficiently share data and improve lives. Indeed, weve
already seen compelling products introduced, and the
companies creating these items are profiting from API
monetization schemes and other efforts.
Still, the danger associated with connecting billions
of potentially vulnerable devicesmany of which share
sensitive datato the Internet has not been discussed
enough. This Insider Edition aims to explore those risks
and how organizations can mitigate them. First, expert Ajay Kumar enumerates seven of the most pressing

2 INFORMATION SECURITY INSIDER EDITION / SECURING THE INTERNET OF THINGS

BRANDAN BLEVINS is the news writer for TechTarget Security

Media Group

AUGUST 2014

COVER STORY: RISKS

HOME
EDITORS DESK
SEVEN IOT RISKS
YOU MUST CONSIDER
IS YOUR SECURITY
PROGRAM READY
FOR THE INTERNET
OF THINGS?
WHOS IN CHARGE HERE?
SECURING THE
INTERNET OF THINGS

SEVEN IoT RISKS

YOU MUST
CONSIDER

THE DAY WHEN virtually every electronic devicefrom

The Internet of Things is

growing fast, and so are the
risks. Here are seven risks
that must be taken into account
when planning at IoT policy.

phones and cars to refrigerators and light switcheswill

be connected to the Internet is not far away. The number
of Internet-connected devices is growing rapidly and is
expected toreach 50 billion by 2020.
However innovative and promising it seems, this socalledInternet of Things(IoT) phenomenon significantly
increases the number of security risks businesses and consumers will inevitably face. Any device connecting to the
Internet with an operating system comes with the possibility of being compromised, becoming a backdoor for attackers into the enterprise.
In this feature, I discuss the proliferation of the Internet of Things and explore what enterprises can do to
manage the security risks associated with IoT devices.

WHAT IS THE IoT?

WHY IS IT GROWING IN POPULARITY?
The IoT sensationis rapidly embracing entire societies
and holds the potential to empower and advance nearly
each and every individual and business. This creates

By Ajay Kumar

3 INFORMATION SECURITY INSIDER EDITION / SECURING THE INTERNET OF THINGS

AUGUST 2014

COVER STORY: RISKS

HOME
EDITORS DESK
SEVEN IOT RISKS
YOU MUST CONSIDER
IS YOUR SECURITY
PROGRAM READY
FOR THE INTERNET
OF THINGS?
WHOS IN CHARGE HERE?
SECURING THE
INTERNET OF THINGS

tremendous opportunities for enterprises to develop new

services and products that offer increased convenience
and satisfaction to their consumers.
On the user side, Google recently announced that it is
partnering with major automakers Audi, General Motors
and Honda to put Android-connected cars on the roads.
Google is currently developing a new Android platform
that connects these cars to the Internet. Soon, car owners will be able to lock or unlock their vehicles, start the
engine or even monitor vehicle performance from a computer or smartphone.
Thepromises of IoTgo far beyond those for individual
users. Enterprise mobility management is a rapidly evolving example of the impact of IoT devices. Imagine if suddenly every package delivered to your organization came
with a built-in RFID chip that could connect to your network and identify itself to a connected logistics system.
Or picture a medical environment in which every instrument in the exam room is connected to the network to
transmit patient data collected via sensors. Even in industries like farming, imagine if every animal were digitally
tracked to monitor its location, health and behavior. The
IoT possibilities are limitless, and so is the number of devices that could manifest.
However, despite theopportunities of IoT, it also
comes with many risks. Any device that can connect to
Internet has an embedded operating systemdeployed in
itsfirmware. Because embedded operating systems are

4 INFORMATION SECURITY INSIDER EDITION / SECURING THE INTERNET OF THINGS

often not designed with security as a primary consideration,vulnerabilities are presentin virtually all of them
just look at the amount ofmalwarethat is targeting
Android-based devices today. Similar threats will likely
proliferate among IoT devices as they catch on.
Enterprises and users alike must be prepared for the
numerousissues of IoT. Listed below are seven of the
many risks that are inherent in an Internet of Things
world, as well as suggestions to help organizations prepare for the challenge.

DISRUPTION AND
DENIAL-OF-SERVICE ATTACKS
Ensuring continuous availability of IoT-based
devices is important to avoid potential operational failures and interruptions to enterprise services.
Even the seemingly simple process of adding new endpoints into the networkparticularly automated devices
that work under the principle of machine-to-machine
communications like those that help run power stations
or build environmental controlsrequires businesses to
focus attention on physical attacks on the devices in remote locations. As a result, the business must strengthen
physical security to prevent unauthorized access to devices outside of the security perimeter.
Disruptive cyberattacks, such asdistributed denial-ofservice attacks, could have new detrimental consequences
for an enterprise. If thousands of IoT devices try to access

AUGUST 2014

COVER STORY: RISKS

HOME
EDITORS DESK
SEVEN IOT RISKS
YOU MUST CONSIDER
IS YOUR SECURITY
PROGRAM READY
FOR THE INTERNET
OF THINGS?
WHOS IN CHARGE HERE?
SECURING THE
INTERNET OF THINGS

a corporate website or data feed that isnt available, formerly happy customers will become frustrated, resulting
in revenue loss, customer dissatisfaction and potentially
poor reception in the market.
Many of the challenges inherent to IoT are similar to
those found in a bring your own deviceenvironment. Capabilities for managing lost or stolen deviceseither remote wiping or at least disabling their connectivityare
critical for dealing with compromised IoT devices. Having this enterprise strategy in place helps mitigate the
risks of corporate data ending up in the wrong hands.
Other policies that help manage BYOD could also be
beneficial.

devices must be designed with security in mind, and incorporate security controls, using a pre-built role-based
security model. Because these devices have hardware,
platforms and software that enterprises may never have
seen before, the types of vulnerabilities may be unlike
anything organizations have dealt with previously. Its
critical not to underestimate the elevated risk many IoT
devices may pose.

IoT VULNERABILITY MANAGEMENT

Another big challenge for enterprises in an IoT
environment is figuring out how to quickly
patch IoT device vulnerabilitiesand how to
prioritize vulnerability patching.
Because most IoT devices require a firmware update
to patch vulnerabilities, the task can be complex to accomplish on the fly. For example, if a printer requires
firmware upgrading, IT departments are unlikely to be
able to apply a patch as quickly as they would in a server
or desktop system; upgrading custom firmware often requires extra time and effort.
Also challenging for enterprises is dealing with the default credentials provided when IoT devices are first used.
Often, devices such as wireless access points or printers
come withknown administrator IDs and passwords. On
top of this, devices may provide a built-in Web server to
which admins can remotely connect, log in and manage
the device. This is a huge vulnerability that can put IoT

UNDERSTANDING THE
COMPLEXITY OF VULNERABILITIES
Last year, an unknown attacker used a known
vulnerability in a popular Web-connected baby
monitor tospy on a two-year-old. This eye-opening incident goes to show what a high risk the IoT poses to
enterprises and consumers alike. In a more dramatic example, imagine using an IoT device like a simple thermostat to manipulate temperature readings at a nuclear
power plant. If attackers compromise the device, the consequences could be devastating. Understanding where
vulnerabilities fall on the complexity meterand how
serious of a threat they poseis going to become a huge
dilemma. To mitigate the risk, any project involving IoT

5 INFORMATION SECURITY INSIDER EDITION / SECURING THE INTERNET OF THINGS

AUGUST 2014

COVER STORY: RISKS

HOME
EDITORS DESK
SEVEN IOT RISKS
YOU MUST CONSIDER
IS YOUR SECURITY
PROGRAM READY
FOR THE INTERNET
OF THINGS?
WHOS IN CHARGE HERE?
SECURING THE
INTERNET OF THINGS

devices into attackers hands. This requires enterprises

to develop a stringent commissioning process. It also requires them to create a development environment where
the initial configuration settings of the devices can be
tested, scanned to identify any kind of vulnerabilities they
present and validated, allowing the organization to address any issues before the device is moved into the production environment. This further requires a compliance
team to certify that the device is ready for production,
test the security control on a periodic basis and make sure
that any changes to the device are closely monitored and
controlled and that any operational vulnerabilities found
are addressed promptly.

Internet-connected devices, and then implementing effective controls. Given the diversity that exists among
these devices, organizations should conduct customized
risk assessments to identify the dangers and determine
how best to contain them.
An interesting recent example was the case of former
Vice President Dick Cheneydisabling the remote connectivity of a defibrillatorimplanted in his chest. Unfortunately most enterprises dont have the luxury of taking
these devices offline. In any event, organizations that
embrace IoT must define their own information security
controls to ensure the acceptable and adequate protection
of the IoT evolution. As the trend matures, best practices
will certainly emerge from industry professionals.

IDENTIFYING, IMPLEMENTING
SECURITY CONTROLS
In the IT world, redundancy is critical; should
one product fail, another is there to take over.
The concept of layered security works similarly, but it remains to be seen how well enterprises can layer security
and redundancy to manage IoT risk. For example, in the
healthcare industry, medical devices are available that not
only monitor patients health statuses, but also dispense
medicine based on analysis these devices perform. Its
easy to imagine how tragic consequences could result if
these devices became compromised.
The challenges for enterprises lie in identifying where
security controls are needed for this emerging breed of

6 INFORMATION SECURITY INSIDER EDITION / SECURING THE INTERNET OF THINGS

FULFILLING THE NEED FOR

SECURITY ANALYTICS CAPABILITIES
The variety of newWi-Fi-enabled devices connecting to the Internet creates a flood of data
for enterprises to collect, aggregate, process and analyze.
While organizations can identify new business opportunities based on this data, new risks emerge as well.
With all of this data, organizations must be able to
identify legitimate and malicious traffic patterns on IoT
devices. For example, if an employee tries to download
a seemingly legitimate app onto a smartphone that contains malware, it is critical to have actionable threat intelligence measures in place to identify the threat. The best

AUGUST 2014

COVER STORY: RISKS

HOME
EDITORS DESK
SEVEN IOT RISKS
YOU MUST CONSIDER
IS YOUR SECURITY
PROGRAM READY
FOR THE INTERNET
OF THINGS?
WHOS IN CHARGE HERE?
SECURING THE
INTERNET OF THINGS

analytical tools and algorithms not only detect malicious

activity, but also improve customer support efforts and
improve the services being offered to the customers.
To prepare for these challenges, enterprises must
build the right set of tools and processes required to provide adequate security analytics capabilities.

observed, largely due tostreaming media,peer-to-peer

applications andsocial networking. As more devices
connect to the Internet, this number will continue to
grow.
However, the increased demand for the Internet
will potentially proliferate business continuityrisks.
If critical applications do not receive their required bandwidth, consumers will have bad experiences, employee
productivity will suffer and enterprise profitability could
fall.
To ensure high availability of their services, enterprises must consider adding bandwidth and boosting
traffic management and monitoring. This not only mitigates business continuity risks, but also prevents potential
losses. In addition, from the project-planning standpoint, organizations should carry out capacity planning
and watch the growth rate of the network so that the increased demand for the required bandwidth can be met.

MODULAR HARDWARE
AND SOFTWARE COMPONENTS
Security should be considered and implemented in every aspect of IoT to better control
the parts and modules of Internet-connected devices.
Because attackers often exploit vulnerabilities in IoT
devices after they have been implemented, organizations
should consider a security paradigm like the Forrester
Zero Trust modelfor these devices.
Where possible, enterprises should proactively set
the stage by isolating these devices to their own network
segment or VLAN. Additionally, technologies such as
micro-kernels orhypervisorscan be used with embedded
systems to isolate the systems in the event of a security
breach.

CONCLUSION
The Internet of Things has great potential for the consumer as well as for enterprises, but not without risk.
Information security organizations must begin preparations to transition from securing PCs, servers, mobile
devices and traditional IT infrastructure, to managing a
much broader set of interconnected items incorporating
wearable devices, sensors and technology we cant even
foresee currently. Enterprise security teams should take

RAPID DEMAND IN
BANDWIDTH REQUIREMENT
A Palo Alto Networks Inc. study revealed
that between November 2011 and May 2012,
network traffic jumped 700%on networks the vendor

7 INFORMATION SECURITY INSIDER EDITION / SECURING THE INTERNET OF THINGS

AUGUST 2014

COVER STORY: RISKS

HOME
EDITORS DESK
SEVEN IOT RISKS
YOU MUST CONSIDER
IS YOUR SECURITY
PROGRAM READY
FOR THE INTERNET
OF THINGS?

the initiative now to research security best practices to

secure these emerging devices, and be prepared to update
risk matrices and security policies as these devices make
their way onto enterprise networks to enable machineto-machine communication, huge data collection and
numerous other uses. This increased complexity within
the enterprise shouldnt be overlooked, and threat modeling will be necessary to ensure basic security principal of
confidentiality, integrity and availability are maintained

in what will be an increasingly interconnected digital

world. n
AJAY KUMAR is an information security manager who has

been working for a decade in the information security and risk

management domain, and has expertise in cybersecurity, identity
and access management, security operations management, data
protection, cloud security and mobile security. Ajay can be reached
atakumar_net2002@yahoo.com.

WHOS IN CHARGE HERE?

SECURING THE
INTERNET OF THINGS

8 INFORMATION SECURITY INSIDER EDITION / SECURING THE INTERNET OF THINGS

AUGUST 2014

READY?

HOME
EDITORS DESK
SEVEN IOT RISKS
YOU MUST CONSIDER
IS YOUR SECURITY
PROGRAM READY
FOR THE INTERNET
OF THINGS?
WHOS IN CHARGE HERE?
SECURING THE
INTERNET OF THINGS

IS YOUR
SECURITY
PROGRAM
READY FOR
THE INTERNET
OF THINGS?

THE INTERNET OF THINGS is more than just cars, clocks and

coffeemakers. Its about an entirely new frontier of networked devices that affect enterprise security both directly and indirectly. One of the recent discussion points
has been around whether or not the average corporate
network can even handle the Internet of Things bandwidth requirements. Its certainly something to be thinking about, but it seems moot when you consider the
potential for the inevitable security headaches.
Enterprises have enough trouble keeping up with the
security of their traditional network systems. Many people struggle with knowing where their systems, and especially their sensitive data, are located. Others have no
clear picture of their current security posture or whats
taking place on the network at any given moment. No
doubt, the largest group consists of IT and security staff
who struggle to getand keepmanagement and their
general user base on board with security. With the Internet of Things, these issues become even more of a
challenge. I suspect were going to experience a side of security we never anticipated.

Its time to start prepping

a security policy for the coming
IoT era, to avoid the free for all
we saw with the bring-your-own
movement.

By Kevin Beaver

9 INFORMATION SECURITY INSIDER EDITION / SECURING THE INTERNET OF THINGS

AUGUST 2014

READY?

HOME
EDITORS DESK
SEVEN IOT RISKS
YOU MUST CONSIDER
IS YOUR SECURITY
PROGRAM READY
FOR THE INTERNET
OF THINGS?
WHOS IN CHARGE HERE?
SECURING THE
INTERNET OF THINGS

Since the beginning of my career in information security, Ive worked by the mantra that if a system has an IP
address or a URL and it touches the business network or
processes sensitive information in any way, then its fair
game for attack. It should also be fair game to fall within
the scope of existing security management programs.
Similar to mobile devices, instant messaging, social media usage and the like, were not going to stop the Internet of Things from growing. It has to be front and center
in your security discussions.

policies where necessary.

Will new security policies be required? You might find
that new (or updated) policies around network segmentation and access control are needed to ensure these devices are kept in their placesimilar to how you might
handle wireless access points and guest Internet connections. Be sure to consider the Internet of Things implications for business partners, suppliers and customers
that network connections into your environment as well.
What additional risks will each of your employees Internet of Things devices at home introduce to your network
via VPN connections?
n

PLAYING BY THE RULES

One of the core principles of minimizing information
risks is to lay out a set of rules to play by in the form of
well-written security policies. If proper expectations are
not set, then its a free for all, not unlike what we see with
BYOD. The good news is that securingor protecting
againstthe Internet of Things is not going to be much
different from securing any other aspect of the network.
Its about perspective and priorities. Here are some security policy-centric items you must consider with Internet
of Things in the enterprise:
n

Whos going to ensure that your policies are both

enforceable and actually enforced to minimize your
Internet-of-Things risks? Management and users may
n

buy into policies around core business applications, but

how are they going to perceive your desire to secure seemingly harmless devices with minimal business purpose?
You need to be able to quantify the risk by performing a
risk analysis and determining the likelihood and impact
when threats exploit Internet of Things vulnerabilities. A
good BYOD security program now cannot only serve as
a good indication of things to come but also the groundwork for your Internet of Things policy enforcement.

What role will your existing security policies play?

You wont have to start from scratch. Your existing policies around passwords, patching, system monitoring will
likely suffice. The important thing is to ensure that the
Internet of Things falls within the scope of each of these

10 INFORMATION SECURITY INSIDER EDITION / SECURING THE INTERNET OF THINGS

Whos going to be monitoring the Internet of Things?

AUGUST 2014

READY?

HOME
EDITORS DESK
SEVEN IOT RISKS
YOU MUST CONSIDER
IS YOUR SECURITY
PROGRAM READY
FOR THE INTERNET
OF THINGS?
WHOS IN CHARGE HERE?
SECURING THE
INTERNET OF THINGS

You could ultimately be looking at double the number

of hosts (or more) on your network at some point in the
near future. Will you need additional staff to ensure everything is kept in check? Will your managed security services provider be able to accommodate these systems?

and small. Youre going to have to up your security game

by doing more of itbetter, faster, and cheaper than
ever before. Nows the time to be thinking about keeping the Internet of Things in check on your network and
any other networks that are associated with your business. Get the right people on board and at least start with
a policy update that outlines what youre doing and not
doingallowing and not allowingwith all of these connected devices. Policies arent the magic solution to security. In fact, they often do more harm than good by
creating a false sense of security and compliance. But
do it anywayany positive action toward a better, more
secure Internet of Things will provide many long-term
payoffs for the business as a whole. n

I dont typically buy into the marketing hype associated with emerging areas of IT, such as the cloud and big
data, but there is something to be said about the Internet
of Things. The term is a bit jargon-ish but the business
consequences are real. Cisco estimates that the Internet of Things will grow to 50 billion devices by 2020.
That represents a significant number of systems that
will somehow need your attention. These devices could
open up backdoors into your network. They can facilitate
malware propagation. They can end up storing sensitive
business information. They can lead to denial-of-service
conditions. Is your business prepared? Are you going to
be able to justify taking time away from the things youre
currently doing to tend to this new realm of systems invading your network?
Complexity is one of the largest barriers to effective
security, and the Internet of Things is no doubt going to
increase that exponentially for organizations both large

11 INFORMATION SECURITY INSIDER EDITION / SECURING THE INTERNET OF THINGS

KEVIN BEAVER is an information security consultant, writer,

professional, speaker, and expert witness with Atlanta-based

Principle Logic, LLC. With over 25 years of experience in the
industry, Kevin specializes in performing independent security
vulnerability assessments of network systems as well as Web
and mobile applications. He has authored/co-authored 11 books
on information security including the best-selling Hacking
For Dummies. You can reach Kevin through his website www.
principlelogic.com and follow him on Twitter at @kevinbeaver.

AUGUST 2014

RESPONSIBILITY

HOME
EDITORS DESK
SEVEN IOT RISKS
YOU MUST CONSIDER
IS YOUR SECURITY
PROGRAM READY
FOR THE INTERNET
OF THINGS?
WHOS IN CHARGE HERE?
SECURING THE
INTERNET OF THINGS

WHOS IN
CHARGE HERE?
SECURING
THE INTERNET
OF THINGS

ADVOCATES SAY THEInternet of Thingsis a multi-trillion

dollar business opportunity, but its also a potential disaster for privacy and safety. Before we connect everything aroundus to the Internet, we need to think about
security.
Internet of Things securityis difficult to discuss because the concept is so immense. When you make everything IP-connected, how do you lock all of that down?
Cars, cows, oil rigs, medical devices, refrigerators. There
is no perimeter that can encircle all of that.
The challenge we have is that each of those areas is
really pretty separate, said Bret Hartman. The technologies working in those areas tend to focus specifically on
their own area. Its not going to be one-size-fits-all for
[Internet of Things] security.
Companies and individuals will also find that they lose
a lot of control over where their data is and where it is going. When consumerization struck the enterprise, power
and control over data and connectivity shifted from IT to
the user. IT is still adapting to that shock. Now another
shift is coming.

Its a big task, securing the

Internet of Things, and a key
step is to figure out who exactly
is responsible.

By Shamus McGillicuddy

12 INFORMATION SECURITY INSIDER EDITION / SECURING THE INTERNET OF THINGS

AUGUST 2014

RESPONSIBILITY

HOME
EDITORS DESK
SEVEN IOT RISKS
YOU MUST CONSIDER
IS YOUR SECURITY
PROGRAM READY
FOR THE INTERNET
OF THINGS?
WHOS IN CHARGE HERE?
SECURING THE
INTERNET OF THINGS

Power is shifting from the user to machines, said

Dipto Chakravarty, executive vice president of engineering and products at ThreatTrack Security Inc. And when
it shifts to machines, connectivity is the inverse to security. The more connectivity you have, the less security
you haveunless you can layer it in properly.

a cows health might go to another thing on a farm that

crunches that data and spits out new data. Then that data
goes elsewhere, all across IP networks.
These are typically paths that are poorly protected.
The bigger problem is not so much the endpoints, but the
fact that the data paths themselves create a new attack
platform.
What if your microwave was taken over and it kept
telling your fridge to shut down? said Chakravarty of
ThreatTrack. You wouldnt know there was something
wrong with your microwave. The user is slowly stepping
out of the equation. We may be carrying a phone, but its
not just a phone. Its a transmitter and receiver that can
propagate information exactly like a router would on a
network.

INTERNET OF THINGS SECURITY: ITS NOT EASY

Locking down the so-called things on the Internet of
Things is a daunting task because security takes computing power, and many things have only the bare minimum,
if that.
Usually these endpoint devices arent very big. They
dont have a lot of compute power to do much, especially
around security, Hartman said. There are IP-addressable light bulbs. Theres not a whole lot of processing
power left in there for security.
Furthermore, wherever you have an IP-connected
thing, you also have an operating system. Operating systems need to be patched. When they arent, hackers find
vulnerabilities.Botnetswill find millions of new recruits
in the form of zombie appliances and other things.
These things are all communicating with each other,
too. And they influence each other.
How much is going to go wrong if someone hacks a
cows monitoring system? asked Eric Hanselman, chief
analyst for New York-based 451 Research. Its all just
passive data collection. Its not a big deal. But data about

13 INFORMATION SECURITY INSIDER EDITION / SECURING THE INTERNET OF THINGS

INTERNET OF THINGS SECURITY:

HOW DO YOU DO IT?
Some engineers say network monitoring is the way to
solve the problem.
Its much more about using the network fabric to
watch traffic across all these devices and limit [that traffic] where there appears to be some abuse or potential attack happening, Ciscos Hartman said. In an industrial
control system, you might change [a robots] settings with
a management console, but you wouldnt expect two robotic arms to reprogram each other. So you can look at
that kind of traffic and say this shouldnt be happening.

AUGUST 2014

RESPONSIBILITY

HOME
EDITORS DESK
SEVEN IOT RISKS
YOU MUST CONSIDER
IS YOUR SECURITY
PROGRAM READY
FOR THE INTERNET
OF THINGS?
WHOS IN CHARGE HERE?
SECURING THE
INTERNET OF THINGS

You can control and limit the traffic that goes among
these [robots].
Internet of Things security will also require encryption key management infrastructure and identity management systems that can scale into the billions, said Earl
Perkins, research vice president for Stamford, Connecticut-based Gartner Inc.
Well have to figure out a way to protect data in an
environment like this, whether its on [an] Internet of
Things thing or in an intermediate location, he said.
Well have to revamp the way we look at encryption key
management and identity management. Well have to
combine capabilities from identity management and asset management, because [people] are going to become
[their own] personal cloud networks. The Internet of
Things that you carry on your person and that you have at
home are like a cloud of devices that surround you. You
have an identity and the things have identity, but how do
you keep [up] with the relationships between you and the
identity of those things?
The Internet of Things will also require a sophisticated approach torisk management. Not all of the devices
on the Internet of Things will be new. Organizations are
strapping IP connections onto legacy devices and systems

14 INFORMATION SECURITY INSIDER EDITION / SECURING THE INTERNET OF THINGS

to extract data. Those legacy systems will pose a higher

risk than something engineered from the ground up to be
an IP endpoint.
You need to add intelligence to be able to deal with
the level of risk [presented] by these older types of data
sources, 451 Researchs Hanselman said.

INTERNET OF THINGS SECURITY:

WHO OWNS THE PROBLEM?
Clearly, there is a lot of work to be done in securing the
Internet of Things. Before you even tackle the problem,
you need to figure out who is responsible for it.Billions of
new deviceswill start collecting and sharing data, and a
wide assortment of companies will be enabling that. Who
owns the problem?

SHAMUS MCGILLICUDDY is the directorof news and

features for TechTarget Networking Media. He writes about

networking, security, data centers, network management and
other topics for SearchNetworking and manages overall news
coverage for TechTargets other networking sites, including
SearchUnifiedCommunications, SearchEnterpriseWAN and
SearchCloudProvider. He holds a masters degree in journalism
from Boston University.

AUGUST 2014

TechTarget Security Media Group

HOME
EDITORS DESK
SEVEN IOT RISKS
YOU MUST CONSIDER
IS YOUR SECURITY
PROGRAM READY
FOR THE INTERNET
OF THINGS?
WHOS IN CHARGE HERE?
SECURING THE
INTERNET OF THINGS

EDITORIAL DIRECTOR

Robert Richardson

EXECUTIVE EDITOR

Eric Parizo

FEATURES EDITOR

Kathleen Richards

Seth Bromberger, Energy Sector Consortium

Brandan Blevins

ASSOCIATE MANAGING EDITOR

DIRECTOR OF ONLINE DESIGN
COLUMNISTS

Phil Agcaoili, Cox Communications

Kara Gattine

EXECUTIVE MANAGING EDITOR

NEWS WRITER

EDITORIAL BOARD

Brenda L. Horrigan

Linda Koury

Kevin Beaver, Crystal Bedell, Mike Chapple, Michele Chubirka, Michael Cobb, Scott Crawford, Peter
Giannoulis, Francoise Gilbert, Joseph Granneman, Ernest N.
Hayden, David Jacobs, Nick Lewis, Kevin McDonald, Sandra
Kay Miller, Ed Moyle, Lisa Phifer, Ben Rothke, Mike Rothman,
Karen Scarfone, Dave Shackleford, Joel Snyder, Steven Weil,
Ravila Helen White, Lenny Zeltser

TechTarget
275 Grove Street,
Newton, MA 02466
www.techtarget.com

Brian Engle, Health and Human Services Commission, Texas

Mike Hamilton, MK Hamilton and Associates
Chris Ipsen, State of Nevada
Nick Lewis, Saint Louis University

Kevin Beaver, Ajay Kumar, Shamus McGillicuddy

CONTRIBUTING EDITORS

Mike Chapple, Notre Dame

Rich Mogull, Securosis

Tony Spinelli, Equifax
Matthew Todd, Financial Engines
MacDonnell Ulsch, ZeroPoint Risk Research

SENIOR VICE PRESIDENT/GROUP PUBLISHER

dolender@techtarget.com.

Doug Olender

2014 TechTarget Inc. No part of this publication may be transmitted or reproduced in any form or byany means without written
permission from the publisher. TechTarget reprints are available through The YGS Group.
About TechTarget: TechTarget publishes media for information technology professionals. More than 100 focused websites enable
quick access to a deep store of news, advice and analysis about the technologies, products and processes crucial to your job. Our
live and virtual events give you direct access to independent expert commentary and advice. At IT Knowledge Exchange, our social
community, you can get advice and share solutions with peers and experts.

COVER IMAGE AND PAGE 3: DRAFTER123/ISTOCK

15 INFORMATION SECURITY INSIDER EDITION / SECURING THE INTERNET OF THINGS

AUGUST 2014