Mobile
7/25/2014
12:00 PM
Michael K. Daly
Michael K. Daly
Commentary
Connect Directly
LinkedIn
RSS
E-Mail
50%
50%

Internet of Things: 4 Security Tips From The Military

The military has been connecting mobile command posts, unmanned vehicles, and wearable computers for decades. It's time to take a page from their battle plan.

The Internet of today, what some are calling the Internet of Things (IoT), is a network enabled by embedded computers, unobtrusive sensors, worldwide systems, and big-data analytic environments. These systems, sensors, and devices are communicating amongst themselves and feeding a ubiquitous network seamlessly integrated with our lives.

While the efficiencies and insights gained through the deployment of this massive interconnected system will bring new benefits, it could also bring new risk. Experience shows us that when everything is connected, everything is vulnerable.

In fact, this approach to creating systems of systems is not new. The military has been connecting mobile command posts, unmanned vehicles, and wearable computers in the battle space for decades. These devices and systems are connected to a network that feeds into a common operating picture for the warfighter.

Source: Wikipedia
Source: Wikipedia

The expertise gained by companies creating these systems of systems for the military has provided a unique perspective on information security risks. As cyberthreats become more sophisticated and aggressive in this expanding IoT environment, four areas of concern will rise in importance. All organizations should:

1) Make sure information is reliable and systems are resilient. With the large amount of data generated by the IoT, a key question will be: “How do I know the data generated by this system is reliable?” Chief information security officers (CISOs) can find answers within information assurance strategies. Data can be encrypted with simple tools like Secure/Multipurpose Internet Mail Extensions (S/MIME) or more complex systems like Information Rights Management solutions.

Additionally, data separation and risk containment can be provided through virtual machine technology, database containers, and cross-domain solutions brought over from the military domain. Systems must be hardened, not just patched; unnecessary services and applications must be removed and remaining software configured appropriately. So many systems built for the IoT either on the device side or the cloud side are based on multipurpose operating systems and are left with many features running that unnecessarily expose risk.

2) Keep pace with technology. With each new device that enters the IoT domain, new vulnerabilities and threats are introduced. A cyber adversary will not only have this new target with its vulnerabilities to exploit, but he will also have a new path from which to attack the other entities on your network. Companies will succeed in the IoT environment when they understand both the new opportunities gained from new devices in their business ecosystem and the new risks they take on, and preplan how best to manage them.

Security organizations should have a lab and do their research on new devices to understand, not just how to use a device, but also what is embedded in the device; what data is generated and transmitted; where does the device transmit its data; and what connections will it accept from other devices in an environment, among a host of other concerns. Most importantly, if adversaries have access to the sensors and data generated by this device, including the personal devices users are bringing into the building, organizations must know and prepare for the advantages it would give them.

3) Focus on the insider threat. The IoT is about connections among devices, the masses of data generated by sensors, cloud processing and storage, and automated actuators. Threats to this environment may be slowed by perimeter defenses, but security experts know the most dangerous threat is the one inside -- where the most serious damage can be done. The Target, Wikileaks, and Snowden breaches are evidence of this damage, particularly regarding financial costs and loss of trust. The Target example is all about the IoT, whereby adversaries were able to penetrate the point-of-sale (POS) devices by first entering through a heating, ventilation, and air conditioning controller. As a result, banks and credit unions lost more than $200 million, according to the Consumer Bankers Association.

In this new environment, it’s critical for companies to have insider-focused security and continuous monitoring solutions that can detect anomalies, unauthorized privileged user activity, and determine when information has been accessed inappropriately. These must be behavioral analytics, not just simple rules and policies.

4) Embrace (big and community) data analytics to minimize cyberthreats. The IoT will generate more data as new devices and systems are added to the ecosystem. Innovations in analytics will drive more than efficient processes but also new ways to detect threats. For example, successful data analytics programs apply algorithms that automatically identify areas of cyber security interest in large volumes of data. In this new ecosystem, analytics will hold the key to predicting threats before they happen.

The IoT has moved from the military to everyday life, allowing us to create and process more data than ever before on everything from the products we buy, to critical power and water, to how we drive on the highway. Making sure this system of systems is secure will help us ensure the IoT delivers its promise of convenience and efficiency.

Michael K. Daly is CTO, Cybersecurity and Special Missions of Raytheon Intelligence, Information and Services. Raytheon Intelligence, Information and Services provides cyber security products and services and offers a full range of training, space, logistics, and engineering ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
7/30/2014 | 3:23:45 PM
Re: What not to learn from the military
I couldn't resist posting this image of Cylon, :-)

MichaelKDaly
50%
50%
MichaelKDaly,
User Rank: Author
7/30/2014 | 2:48:44 PM
Re: What not to learn from the military
Funny you say that!  I use an image of a Cylon in some of my presentations as a reminder that being connected means inherent risk :-)
Jeff Jerome
50%
50%
Jeff Jerome,
User Rank: Apprentice
7/30/2014 | 1:51:39 PM
Re: What not to learn from the military

We have tasked key individuals with that need to "keep up"  We do that through our manufactures, customers, vendors and most importantly Information Week.  It is an almost impossible task but knowing how to find it is the key I beleive.

Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
7/30/2014 | 1:35:32 PM
Re: What not to learn from the military
Finding what you need about the Internet of Everything is a indeed a formidable task. Best practice 2 -- Keep pace with technology -- is a job in and of itself. Who is tasked with that in your companies? Anyone?
Jeff Jerome
50%
50%
Jeff Jerome,
User Rank: Apprentice
7/30/2014 | 8:29:01 AM
Re: What not to learn from the military
And how do we keep up with technology.  There is so much change that it is almost impossible to keep up.  Even if you assign verticles to groups it is an impossible task.  My sense is know enough to know where you can find what you need.  Oh yes the Internet of Everything
GonzSTL
50%
50%
GonzSTL,
User Rank: Ninja
7/29/2014 | 9:29:26 AM
Re: What not to learn from the military
@aws0513 An excellent post! I have found myself talking about those points so many times, but unfortunately they sometimes fall on deaf ears. Usually it is because the listener has their own perception of security governance, and when it comes into conflict with those points, they stop hearing the message. I should add that many IT leaders desire to build their organizational empires, and simply lose objectivity in the process. Take a CIO for example, who believes that security should fall under his/her purview, without realizing the conflict of interest, and that IT and security must be on separate tracks but partnered towards the same goal - delivery of secure services. It amazes me that given today's threat landscape, people still do not see or even simply ignore the importance of this separation of duties. Although it is still too early to determine the outcome, a classic example is Target. They experienced a major breach, a major organizational shakeup, were given the opportunity to build a security organization with full support from top management, and they placed the CISO under the CIO! I fail to see why they did not separate these two officers and give them equal say, forcing the tiebreaker to be someone above both of them, and whose primary responsibility is the success of the entire organization. Let that person weigh the risks and make the ultimate decision.

The IoT introduces a far more wirespread and increasingly complex IT infrastructure, but the underlying principles behind securing it remain the same, as you have outlined below. What remains to be seen is how effectively the security implications are communicated upwards in an organization, so that resources are properly allocated to achieve security. After all, effective communication remains as one of the biggest challenges faced by security pros.

 
aws0513
50%
50%
aws0513,
User Rank: Ninja
7/28/2014 | 7:54:06 PM
Re: What not to learn from the military
First... thank you for the kind comment.

Next...

All of the following is my general opinion.  Others may see things different.

Most enterprise security teams fall way short on the preparing for the worst.

Some of my observations gleaned over the years:

- Many organizations have already mistakenly attributed "redundancy" as a replacement for full offline backups.

- Many organizations still do not fully grasp the concepts of "least privilege" and "separation of duties".

- Many organizations do not implement "self auditing" practices to not only validate the security controls they may have in place, but also provide information that may improve their processes and protocols that can benefit the organization in the event of a disaster.

- Most organizations still struggle with finding talented IT pros with a strong foundation of security understanding. And often only hire just one person with no contingency for when that person suddenly becomes unavailable.

- Most organization management seem to be limited in their decision making capabilities by demands for profit, demands for product delivery, and demands by customers that claim they are always right. Often, this leads to lack of managerial willpower to stand up and say "We need to do this right, not fast."  What seem even more troublesome are those "visionary" managers that still seem to avoid implementing a risk management approach to their ideas.  Security practices often seem to be an afterthought where they should be integral to business operations.

- Many people are still reluctant to ask the tough questions about practices that are currently in place. This is for various reasons, but often boils down to a general reluctance to question management practices or decisions.

- Communication (listening especially) skills will always be a challenge.  Managers often find it difficult to swallow the news that their operations are not secure.  When anyone points out a potential flaw in security, good managers should be vigilant and serious in their investigations into those claims. Security pros must also practice good listening to find ways to implement security practices while still finding a way to say "yes, we can do this securely".

If I were to lay out first priorities.
  1. Learn about the 20 Critical Security Controls. Where possible, validate that each control set is in place and fully operationalized within the organization. Start with 1 and work to 20. It will take patience and persistence.  The implementation of security controls will also take management willpower to promote changes. Where a control is not well established, conduct a gap analysis and implement a plan of action to re-mediate the shortfall.  Just operationalizing the first 8 controls can be a huge gain in security for any organization.
  2. Know where your backups are AND implement a continuous program to practice data system recovery. You will learn a ton of things about your environments when you learn what it takes to recover them.
  3. Ensure your procurement plans for restoration of a site is kept up to date. Let management know if there are any funding issues they should be aware of in this regard. Integrate this with your backup and recovery plan when changes occur due to vendor phase-out of products.
  4. Break out NIST SP800-53 and start going through the various control families in there. Have management seriously consider the PM (Program Management) family of controls because that is where the organization must determine and implement an internal structure that will be necessary to support a robust security program. NOTE: If one reads 800-53 for awhile, it will likely become apparent there is a wealth of good material in the often very dry content.
  5. Stay current.  Every major security certification that is worthy of having in your resume requires the certification holders to stay up to date on new trends, practices, and events.  DarkReading is just one of many venues where I collect information that is current and relevant to my profession.
BTW...  the above 5 items are for anyone with a prevalent security role within an organization...  management and security professionals alike.
 
I hope this is helpful to anyone reading.  Keep up the good fight out there.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
7/28/2014 | 2:07:48 PM
Re: What not to learn from the military
That's a great template for commercial security operations to follow. Thanks for sharing if with us at Dark Reading. Wondering your thoughts on how prepared the typical enterprise security team currently is for these kinds of challenges and what should their first priorities be. 
aws0513
50%
50%
aws0513,
User Rank: Ninja
7/28/2014 | 1:57:37 PM
Re: What not to learn from the military
It isn't so much what not to learn from the military, as much as it is to try to learn from the things that the military may still be struggling with.

In my 22 years of military service, one of the constant concepts of operations that was engendered within any military service component, regardless of job, situation, or technology, was that there should ALWAYS be a contingency plan for every operational solution where possible.

Example scenarios:
  • If the power grid is cut off or rendered inoperable...
  • If a truck broke down...
  • If the local area network stops functioning...
  • If the coffee maker failed...
  • If a key application is rendered inoperable or compromised...
  • If an important file is deleted from a file share...
  • If the only telco trunk leading into the base of operations was cut due to a backhoe operator mistake...

Example contingency relevant questions for each scenario:
  • What can we do or must we have to maintain operational capabilities as military unit?
  • What amount of time and resources would it take to restore the solution?
  • What capabilities would be rendered unavailable if the solution is lost? 
  • Can we identify more than one contingency to provide flexibility and durability to operations?
  • If there is no alternative solution, how can be operationalize the solution in a way that it has redundancy, or put in protocols and practices to substantially reduce the risk of loss or compromise of the solution?

For each identified and feasible contingency, documentation and funding and testing were required on a regular basis to ensure the contingency was still suitable and operational.

That being said, many civilian practices that exist today are modeled after solutions established by the military simply because the military MUST, due to their very nature, develop solutions and processes that maintain high levels of operational capability in the most chaotic and dangerous environments. 

Often these same solutions and processes turn out to be exceptionally effective in a less chaotic environment.

Getting back to my first statement, the things that the military may still be struggling with, will most likely also be a problem for civilian organizations.
Thomas Claburn
50%
50%
Thomas Claburn,
User Rank: Ninja
7/25/2014 | 6:39:25 PM
Re: What not to learn from the military
We can also learn something from the fictional military, as depicted in the recent remake of Battlestar Galactica: Networked equipment will be your doom.
Page 1 / 2   >   >>
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
The Changing Face of Identity Management
Mobility and cloud services are altering the concept of user identity. Here are some ways to keep up.
Flash Poll
Containing Corporate Data on Mobile Devices
Containing Corporate Data on Mobile Devices
If you’re still focused on securing endpoints, you’ve got your work cut out for you. WiFi network provider iPass surveyed 1,600 mobile workers and found that the average US employee carries three devices -- a smartphone, a computer, and a tablet or e-reader -- with more than 80% of them doing work on personal devices.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio

The cybersecurity profession struggles to retain women (figures range from 10 to 20 percent). It's particularly worrisome for an industry with a rapidly growing number of vacant positions.

So why does the shortage of women continue to be worse in security than in other IT sectors? How can men in infosec be better allies for women; and how can women be better allies for one another? What is the industry doing to fix the problem -- what's working, and what isn't?

Is this really a problem at all? Are the low numbers simply an indication that women do not want to be in cybersecurity, and is it possible that more women will never want to be in cybersecurity? How many women would we need to see in the industry to declare success?

Join Dark Reading senior editor Sara Peters and guests Angela Knox of Cloudmark, Barrett Sellers of Arbor Networks, Regina Wallace-Jones of Facebook, Steve Christey Coley of MITRE, and Chris Roosenraad of M3AAWG on Wednesday, July 13 at 1 p.m. Eastern Time to discuss all this and more.