As attendees digest the messages coming out of RSA Conference last week, they're sifting through plenty of important themes that came to light be it information sharing, big data analytics' impact on security, and the use of automation to better level the playing field with the scale attackers have achieved. But perhaps one of the most lasting topics to bridge across conference session tracks and cocktail debates is the impending difficulties enterprise IT will face in securing the Internet of Things (IoT).
It's a new wave of technology that at first blush may seem like only a consumer security and privacy problem, but the issues are going to impact the enterprise in more ways than most realize, experts warn.
According to Andrew Hay, director of research for OpenDNS, in preliminary research he's done so far he's found 4,000 enterprises that have devices beaconing out on the Internet that fall into the IoT category. And in most cases, it'll end up being devices organizations may not even realize are there that will pose big problems.
"You might not expect Samsung televisions beaconing out to the internet numerous times throughout the day in Fortune 500 oil and gas companies, but they're there," he says. "That would worry me, because these are essentially web servers."
Often these consumer devices pose a problem for security researchers due to the huge diversity of platforms and the obsolescence churn of the more consumer-grade IoT technology. But in many instances the other types of IoT devices—those in which infrastructure-type devices such as thermostats are outfitted with telemetry and connectivity—pose an opposite problem.
"Attackers like these because they're persistent. The thermostat in the CEO's office is going to stay there for 10 to 15 years," says Benjamin Jun, an advisory board member at Cryptography Research. "They're connected. There's probably a microphone on that device somewhere. And they're not very well-maintained. You just don't think about updating the firmware on your thermostat."
Right now the myopic outlook from the enterprise infosec crowd on IoT reminds Ed Skoudis a lot of how things looked at his first RSA back in 1997 when thought leaders were kicking around the very new wireless LAN technology.
"I thought then, they're going to make it much better than what we screwed up with cellular technology. Nope," says Skoudis, a fellow at the SANS Institute and founder of Counter Hack. "Every new wave of technology makes the same mistakes that the previous one does. We're going to get the next one wrong, so we need to figure how quickly we can try to fix it."
The difficulty is that IoT brings several new dimensions to the equation that many previous game-changing technologies did not. Most obvious is the technology's impact on the physical world.
For example, Wendy Nather, research director for 451 Research says that at the show she heard from a customer that illustrated the real-world consequences that up the stakes for IoT security.
"I heard yesterday from an enterprise user about a real-live case in the field of malware jumping from a mobile device to a car," she said. "It's not clear what the purpose of the infection was, but it did happen and actually stop the car. The computer system of the car wouldn't operate."
Scale of IoT is also another added dimension of difficulty for CISOs and CIOs to deal with. The problem is that from a budget perspective, mobile platforms have already divided up endpoint security dollars as is. With such a diversity of platforms that are often not well supported, enterprises are going to struggle to keep up with management of everything.
"Those are real challenges," Jun says. "It's management, it's money and it's deciding how much we actually care about doing this as an organization."
Nather's story offers anecdotal evidence that the attackers are going to target these devices as low-hanging fruit, especially as they recognize that management gap that Jun details.
"Adversaries are really thinking hard about how to maintain long-term access to infrastructure," says Dmitri Alperovitch, CTO of Crowdstrike. "As defenses get built up on typical systems we think about protecting, they'll start thinking about where to put implants that won't be checked. So things like printers and thermostats are a great place to hide because (enterprises) don't have visibility into those systems and never think about scanning them."