Black Hat Asia 2017: CISOs Must Get Proactive about the Internet of Things
These four steps will help reduce the risk from looming IoT attacks
Already busy protecting IT environments upended by cloud and mobility, CISOs now must deal with another security and compliance game changer: the Internet of Things. IoT opens up a new universe of attack opportunities for hackers to:
Steal confidential information
Tamper with “things” and cause real-world harm
Distribute malware
Hijack computing capacity and network bandwidth for DDoS attacks
With IoT, the number of connected devices that transmit sensitive data and can be remotely managed - and hacked - has skyrocketed due to previously offline “things” that weren’t designed to be protected from hackers, such as toys, appliances, door locks, industrial machines, building equipment, vehicles, medical devices and security cameras.
While IoT yields many benefits for businesses, governments and consumers, its security has been a glaring afterthought, and CISOs are justifiably alarmed. By 2020, more than 25% of identified attacks in enterprises will involve IoT, according to Gartner, from an estimated 8.4 billion connected "things" that will be in use.
CISOs got a nasty wake up call last October. Hackers infected 100,000 IoT devices with Mirai malware and used the botnet for a DDoS attack against DNS provider Dyn, crippling major websites. Many see the Dyn incident as the first of many nightmare scenarios in which attackers will be able to alter the thermostat on a data center, damaging expensive equipment, disable the breaks on vehicles, causing accidents, and tamper with medicine pumps in hospitals, harming patients.
Here are four proactive steps CISOs can take to help reduce the risk from potential IoT attacks
Step 1. Identify IoT initiatives in your organization, understand their business goals, and get involved by:
Inventorying new IoT network endpoints
Planning for IT resources IoT systems will need, such as storage, bandwidth and middleware
Determining the physical security endpoints should have
Establishing the monitoring and alerting required to detect atypical endpoint behavior
Drafting policies governing IoT systems’ secure usage, management and configuration
Communicating IoT systems’ InfoSec, compliance and physical risks to business managers, IT leaders, CxOs and board members
Step 2. Poll service providers, partners, contractors and other third parties about their use of potentially insecure IoT systems that may endanger systems or data you’ve given them access to.
Step 3. Do due diligence on IoT system vendors by testing their products’ security and getting answers to questions like:
Can products be scanned, monitored and patched to fix vulnerabilities?
Are they baking security into product design?
Do their systems use secure hardware and software components?
Does product development have expertise on InfoSec areas like secure application development and data protection?
Step 4. Shine the harsh light of regulatory and policy compliance on your organization’s IoT plans, to determine:
Which data will be captured and transmitted by IoT endpoints?
What is the business risk of that data getting breached?
What regulations apply to IoT systems?
About the Author
You May Also Like
Cybersecurity Day: How to Automate Security Analytics with AI and ML
Dec 17, 2024The Dirt on ROT Data
Dec 18, 2024