Cyber Defense eMagazine August 2019
Cyber Defense eMagazine August Edition for 2019 #CDM #CYBERDEFENSEMAG @CyberDefenseMag by @Miliefsky a world-renowned cybersecurity expert and the Publisher of Cyber Defense Magazine as part of the Cyber Defense Media Group
Cyber Defense eMagazine August Edition for 2019 #CDM #CYBERDEFENSEMAG @CyberDefenseMag by @Miliefsky a world-renowned cybersecurity expert and the Publisher of Cyber Defense Magazine as part of the Cyber Defense Media Group
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
The Iot Headache and How to Bolster <strong>Defense</strong>s<br />
By Dr. Mike Lloyd, CTO, RedSeal<br />
There’s a saying in the security world: ’if it’s on the network, it belongs to the CISO’. And CISOs have<br />
risen to the occasion, developing and honing a bag of tricks that work reasonably even in the face of<br />
morphing attacks and unwitting employees. But now, with increasing numbers of very different devices<br />
connecting to the internet, CISOs are realizing that their standard bag of tricks doesn’t work on the<br />
Internet of Things (IoT).<br />
First, what do we even mean by Internet of Things? I’ve discussed this with several experts in the area<br />
and I find those thinking about security have the best definition – ‘it’s IoT when we can’t get standard<br />
telemetry’. That is, the best definition I’ve encountered for the Internet of Things is about blindness and<br />
lack of knowledge.<br />
We now have the technical means to cheaply put just about any device online. But that very cheapness<br />
is part of the problem – IoT devices compete on price and are hemmed in by strong cost constraints. If<br />
we connect a lightbulb to the internet (and yes, people do), you can bet the network functionality will be<br />
the cheapest version the manufacturer can get. Within that cheap functionality, security is one of the first<br />
things to go.<br />
One of the key tricks in a CISO’s bag is updating applications early and often with the latest fixes. But<br />
they can’t update a lightbulb, or an industrial turbine, or every medical device in a hospital. Security and<br />
patching infrastructures don’t exist for these special-purpose IoT devices. It requires specific expertise<br />
and adds expense to keep up with the endless findings of security researchers. As a result, nobody is<br />
responsible for managing security updates for all the Things we’re bringing to the Internet.<br />
Other CISO tricks involve installing security agents on every device and scanning networks for known<br />
vulnerabilities. But you can’t install a security agent onto an insulin pump, or an industrial controller, or a<br />
lightbulb. And, you can’t use vulnerability scanning – the main method for finding known security<br />
weaknesses in traditional IT infrastructure. If you do, at best a traditional scanner will struggle to identify<br />
the special-purpose device, but at worst, it might even crash the fragile Thing you’re trying to identify.<br />
So, what can our CISO do in this world where traditional<br />
techniques don’t work well? It’s not as if a typical<br />
organization can just refuse to go along with IoT – these<br />
devices are proliferating rapidly. I’ve found that the<br />
best strategies are segmentation and resilience.<br />
Segmentation makes sure that IoT devices have no<br />
access – even indirectly – to the outside world. These<br />
endpoints cannot be trusted and can’t be forced to run<br />
whatever control software you want. Instead, you must<br />
contain them, keeping these fragile and risky devices<br />
away from each other and anything else they could<br />
harm.<br />
That is, as the endpoints get dumber (due to their focus<br />
on doing one job well), the network must get<br />
85