Improving IoT Security Through Awarenes
By Joyce Deuley
The last quarter of 2016 was an eventful one, particularly for Internet of Things (IoT) security, and the general awareness of the industry’s vulnerabilities increased dramatically. Between October’s Distributed Denial of Service (DDoS) attacks attributed to Mirai that affected millions worldwide, the additional DDoS attacks that continued through November and early December, and the ransomware attacks against the San Francisco Municipal Transportation Authority (SFMTA), security specialists everywhere have been looking for ways to shore up current security practices, as well as to determine new measures to prevent future attacks.
Positive steps within the industry have already been taken to correct some of these IoT vulnerabilities. Google and other industry leaders in the Broadband Technical Advisory Group (BITAG), for instance, have released new documentation with suggestions to beef up IoT security. Additionally, there are plenty of tips out there for companies to better protect themselves when deploying IoT Solutions, and for protecting general IoT consumers.
Shortly following the October DDoS attacks, I interviewed Sailakshmi S., a Managing Partner and Founder of Periculum, a Dallas-based IT risk management advisory and strategy group, to get a better perspective on what we can do to better manage security risks in IoT. According to Sai, one of the reasons IoT industry struggles to manage these vulnerabilities has to do with the fact that the IoT is “growing fast and is too unprepared” for what we are dealing with. The industry itself is an “entrepreneurial force of nature that pushes participants to collaborate in new ways because we, as individuals, cannot do it alone.”
Within that forced collaboration, companies are charting new territories as well as implementing new business processes and technologies. Sai states that there will be a “constant threat that every industry is going to face,” and while the attack may be similar, the impact could be quite different to each one.
According to Sai, consumers, providers, and device makers should recognize their role in securing IoT devices and data. She said, “Every person who brings a connected device or thing to a workplace or within the home needs to be accountable, and [we need to] make individuals aware of their impact.” But spreading that accountability can be tricky as it differs between audiences, and overcoming those differences will be a constant issue.
The IoT is “growing fast and is too unprepared” for what we are dealing with.
The perception of inherent security in an age where connected devices—personal and or otherwise—are finding their ways into daily life is only increasing. Wearables for instance and other personal devices on a company network can make employees an end-point of vulnerability. They may not be aware of it, but those end points “double, triple in IoT, and multiplies over the course of time. The number of end points that are being added are faster than they are curtailed,” which means that people often unintentionally create a vulnerability gap that hadn’t existed before, which could lead to internal threats.
Because of this, Sai stated that having that awareness of responsibility, “minimizes the risks, though it cannot prevent them completely.” Instead, it slows down or reduces security risks, creating a type of stability. For example, most people wouldn’t leave confidential materials or things on their desks. It would be a great idea to relate these connected devices as being part of their “desk”, where the security measures essentially “lock” the desk drawers, keeping sensitive data out of reach.
So how do we combat the lack of awareness?
“You won’t see a lot of money for talking about the challenges. I would first bring awareness on what IoT space is doing for them [consumers and businesses], to better understand why they are using IoT, and where the value is at. Then we need to best determine how to put in processes so security isn’t an afterthought. That will give you a better approach, bringing awareness at each layer, so it isn’t a struggle or a battle, no pick and choose.”
This type of approach only becomes more crucial as we further incorporate IoT capabilities into more aspects of our lives, affecting us through telemedicine, smart city applications, and devices in the home. That is why organizations such as the CyberDEF Dojo Meetup Group in San Antonio, is putting on a presentation on what IoT is and what the risks are for businesses and consumers as part of its Security Engagement Series. At the event, Rich Johanning, VP of Critical Infrastructure Protection at AECOM, and a technical demonstration of how to better protect oneself or one’s business that’s open to the public. To register for the event, follow the link: https://www.eventbrite.com/e/security-engagement-series-iot-tickets-30674119116
By opening the conversation up to consumers and companies alike, we can make great strides in making cyber security in IoT top of mind to better protect our homes and our businesses.
For more information about Periculum and its consulting services or for future speaking opportunities, please contact Sai at firstname.lastname@example.org
*Image Source: http://www.scc.com/it-services/network-security/