NC1701
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
FEATUREIOT<br />
THE SECURITY OF THINGS<br />
READY OR NOT, THE INTERNET OF THINGS IS COMING.<br />
IN FACT THE DEMAND FOR IoT DEVICES IS OUTSTRIPPING<br />
ITS ABILITY TO BE SECURE. JOHN SMITH, PRINCIPAL<br />
SOLUTIONS ARCHITECT FOR SECURITY AT EXTRAHOP,<br />
EXPLORES THE ISSUES<br />
Just five years ago BYOD (Bring Your<br />
Own Device) was the hottest topic in IT<br />
security. iPhone and Android had rapidly<br />
usurped the mobile market from Blackberry,<br />
ushering in a wave of connectivity and<br />
unsecured access to enterprise resources<br />
that were not issued, configured or<br />
controlled by IT.<br />
Fast-forward half a decade and a device is<br />
a lot more than a mobile phone. The rise of<br />
connected devices, known as The Internet of<br />
Things, has exploded the number of<br />
endpoints connecting to and communicating<br />
on the network, ranging from personal<br />
fitness trackers to drug infusion pumps and<br />
industrial equipment. Although security for<br />
mobile devices matured following some<br />
hard lessons, IoT security is still in its infancy.<br />
The high demand for IoT functionality and<br />
its advantage is currently forcing solutions to<br />
market without many of the existing<br />
functions and established security disciplines<br />
in place. That means that the security we<br />
depend on for compliance with regulatory<br />
frameworks in our non-IoT systems just<br />
doesn't exist within the IoT estate, and this<br />
provides a greenfield opportunity for<br />
hackers. IoT system owners who want to<br />
have systems accepted and promoted into<br />
production will need to innovate to provide<br />
the necessary auditing and compliance that<br />
is present in existing production systems.<br />
Functions and solutions around logging,<br />
agents, SNMP MIIBs etc. will likely be<br />
missing from these systems.<br />
To bridge the gap between IoT adoption<br />
and security maturation, information<br />
security teams need to implement<br />
monitoring technologies that can<br />
supplement the lack of native auditing and<br />
accountability. While traditional monitoring<br />
tools like agent instrumentation and<br />
NetFlow still struggle to support IoT<br />
deployments at scale, emerging options<br />
that deliver streaming analytics of networkbased<br />
data - so-called wire data - offers<br />
much better visibility into the interactions<br />
occurring between IoT devices and other<br />
systems. Given the broad visibility that wire<br />
data analytics technologies deliver into IoT<br />
devices, they may well become the de facto<br />
standard for monitoring and auditing.<br />
But it's not just information security teams<br />
that need to take a proactive stance.<br />
Consumers need to make themselves<br />
aware of the risks to their privacy when<br />
they deploy IoT-based devices. Businesses<br />
need to move beyond the regulatory<br />
framework and actively test the security of<br />
their IoT devices, implement and enforce<br />
login and authentication policies, and<br />
customise security policies for specific IoT<br />
devices in the environment. Incumbent<br />
policies that may work for existing shared<br />
services are not necessarily appropriate at<br />
the device level.<br />
Most importantly, IoT needs to be<br />
standardised concerning what protocols and<br />
encryption levels are acceptable. While a<br />
regulatory framework is not the only solution,<br />
some standardisation based on the types of<br />
data being transferred, the likelihood of a<br />
breach and its potential impact will be critical.<br />
While the hacking of a domestic Bluetoothenabled<br />
speaker system could prove<br />
annoying, it has nowhere near the impact of<br />
an Iranian centrifuge spinning out of control,<br />
or a hospital unable to perform diagnostic<br />
testing and administer life-saving treatments.<br />
The time to begin planning for this is now,<br />
while the harm is still mostly theoretical.<br />
Proactive policy development and<br />
enforcement, comprehensive monitoring,<br />
protocol and even in-transit encryption<br />
standardisation are all valid options.<br />
In terms of practical approaches, the first<br />
steps should be a baseline audit of what is<br />
attaching to the network, followed by a<br />
schedule of periodic re-detection. The<br />
creation and dissemination of a formal<br />
policy to mandate that end users and IT staff<br />
declare and receive permission for the IoT<br />
devices they would like to add to the<br />
network, should be mandatory. This at least<br />
makes the issue visible and helps to raise<br />
awareness on the part of businesses and<br />
consumers. It is not a solution, but it will go<br />
a long way towards better securing the<br />
connected world. NC<br />
WWW.NETWORKCOMPUTING.CO.UK @NCMagAndAwards JANUARY/FEBRUARY 2017 NETWORKcomputing 17