Black Hat Asia 2017: CISOs Must Get Proactive about the Internet of Things

These four steps will help reduce the risk from looming IoT attacks

Black Hat Staff, Contributor

March 12, 2017

2 Min Read

Already busy protecting IT environments upended by cloud and mobility, CISOs now must deal with another security and compliance game changer: the Internet of Things. IoT opens up a new universe of attack opportunities for hackers to:

  • Steal confidential information

  • Tamper with “things” and cause real-world harm

  • Distribute malware

  • Hijack computing capacity and network bandwidth for DDoS attacks

With IoT, the number of connected devices that transmit sensitive data and can be remotely managed - and hacked - has skyrocketed due to previously offline “things” that weren’t designed  to be protected from hackers, such as toys, appliances, door locks, industrial machines, building equipment, vehicles, medical devices and security cameras.

While IoT yields many benefits for businesses, governments and consumers, its security has been a glaring afterthought, and CISOs are justifiably alarmed. By 2020, more than 25% of identified attacks in enterprises will involve IoT, according to Gartner, from an estimated 8.4 billion connected "things" that will be in use.

CISOs got a nasty wake up call last October. Hackers infected 100,000 IoT devices with Mirai malware and used the botnet for a DDoS attack against DNS provider Dyn, crippling major websites. Many see the Dyn incident as the first of many nightmare scenarios in which attackers will be able to alter the thermostat on a data center, damaging expensive equipment, disable the breaks on vehicles, causing accidents, and tamper with medicine pumps in hospitals, harming patients.

Here are four proactive steps CISOs can take to help reduce the risk from potential IoT attacks

Step 1.  Identify IoT initiatives in your organization, understand their business goals, and get involved by:

  • Inventorying new IoT network endpoints

  • Planning for IT resources IoT systems will need, such as storage, bandwidth and middleware

  • Determining the physical security endpoints should have

  • Establishing the monitoring and alerting required to detect atypical endpoint behavior

  • Drafting policies governing IoT systems’ secure usage, management and configuration

  • Communicating IoT systems’ InfoSec, compliance and physical risks to business managers, IT leaders, CxOs and board members

Step 2. Poll service providers, partners, contractors and other third parties about their use of potentially insecure IoT systems that may endanger systems or data you’ve given them access to.

Step 3. Do due diligence on IoT system vendors by testing their products’ security and getting answers to questions like:

  • Can products be scanned, monitored and patched to fix vulnerabilities?

  • Are they baking security into product design?

  • Do their systems use secure hardware and software components?

  • Does product development have expertise on InfoSec areas like secure application development and data protection?

Step 4. Shine the harsh light of regulatory and policy compliance on your organization’s IoT plans, to determine:

  • Which data will be captured and transmitted by IoT endpoints?

  • What is the business risk of that data getting breached?

  • What regulations apply to IoT systems?

About the Author(s)

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights