Risk
1/9/2014
12:54 PM
Dark Reading
Dark Reading
Products and Releases
Connect Directly
RSS
E-Mail
50%
50%

SANS Announces Results Of Its 2013 Securing The Internet Of Things Survey

Call on vendors to take responsibility for securing devices

BETHESDA, Md., Jan. 8, 2014 /PRNewswire-USNewswire/ -- SANS announces results of its 2013 Securing the Internet of Things survey, sponsored by Codenomicon and Norse, in which 391 IT professionals answered questions about the current and future security realities of the Internet of Things (IoT).

"The Internet of Things is not just a buzzword, nor is it merely a vision of the sci-fi future. It's already happening, in every sector of the global economy.

Self-parking cars, autonomous drones, smart meters talking to smart appliances in the home, HVAC systems in commercial buildings, wireless-enabled medical devices and wearable fitness gadgets are all examples. Ubiquitous embedded software, often vulnerable and even unpatchable, enabled by 24/7 wireless connectivity, creates an unprecedented level of interconnectivity and complexity," says SANS Analyst Gal Shpantzer. "This unique survey takes a look at the security community's perception of the vulnerabilities in the IoT and the threats that would exploit them."

In the survey, almost 60% of respondents fully understand and find the Internet of Things relevant to their companies and jobs; 43% of respondents are already actively working to secure some of these types of "Things" in their environments.

"The SANS Securing the Internet of Things survey results show that the security community is already aware of the challenges the IoT will bring and that those challenges will require both the evolution of existing security controls and the development of new security processes," says survey author John Pescatore.

Survey respondents were most concerned about device connections to the Internet (50%), followed by vulnerabilities associated with the command and control channel to the device's firmware (24%), with another 9% concerned about the firmware itself.

While it's clear that most organizations are preparing to embrace the IoT, 50% of respondents were not ready to secure an ecosystem of "Things," and while they acknowledge that their IT staff is responsible for securing their Things, they expect vendors to play a critical role in security of such devices as well.

Pescatore explains, "Security managers will hold the manufacturers of "Things"

to higher levels of responsibility for security than they required for PCs and servers."

Results and insights surrounding security challenges for the IoT will be released during a webcast on Wednesday, January 15, at 1 PM EST. To register for the complimentary webcast please visit: http://www.sans.org/info/148160

Those who register for these webcasts will be given access to an advanced copy of the associated report developed by John Pescatore.

The SANS Analyst Program, www.sans.org/reading_room/analysts_program, is part of the SANS Institute.

About SANS Institute

The SANS Institute was established in 1989 as a cooperative research and education organization. SANS is the most trusted and, by far, the largest source for world-class information security training and security certification in the world, offering over 50 training courses each year. GIAC, an affiliate of the SANS Institute, is a certification body featuring over 27 hands-on, technical certifications in information security. SANS offers a myriad of free resources to the InfoSec community including consensus projects, research reports, and newsletters; it also operates the Internet's early warning system--the Internet Storm Center. At the heart of SANS are the many security practitioners, representing varied global organizations from corporations to universities, working together to help the entire information security community.

(www.SANS.org)

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Must Reads - September 25, 2014
Dark Reading's new Must Reads is a compendium of our best recent coverage of identity and access management. Learn about access control in the age of HTML5, how to improve authentication, why Active Directory is dead, and more.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2003-1598
Published: 2014-10-01
SQL injection vulnerability in log.header.php in WordPress 0.7 and earlier allows remote attackers to execute arbitrary SQL commands via the posts variable.

CVE-2011-4624
Published: 2014-10-01
Cross-site scripting (XSS) vulnerability in facebook.php in the GRAND FlAGallery plugin (flash-album-gallery) before 1.57 for WordPress allows remote attackers to inject arbitrary web script or HTML via the i parameter.

CVE-2012-0811
Published: 2014-10-01
Multiple SQL injection vulnerabilities in Postfix Admin (aka postfixadmin) before 2.3.5 allow remote authenticated users to execute arbitrary SQL commands via (1) the pw parameter to the pacrypt function, when mysql_encrypt is configured, or (2) unspecified vectors that are used in backup files gene...

CVE-2014-2640
Published: 2014-10-01
Cross-site scripting (XSS) vulnerability in HP System Management Homepage (SMH) before 7.4 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

CVE-2014-2641
Published: 2014-10-01
Cross-site request forgery (CSRF) vulnerability in HP System Management Homepage (SMH) before 7.4 allows remote authenticated users to hijack the authentication of unspecified victims via unknown vectors.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Chris Hadnagy, who hosts the annual Social Engineering Capture the Flag Contest at DEF CON, will discuss the latest trends attackers are using.