Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
2/15/2017
10:00 AM
Connect Directly
Facebook
Twitter
RSS
E-Mail
50%
50%

IoT Security: A Ways To Go, But Some Interim Steps For Safety

The Internet of Things remains vulnerable to botnets and malware, but Cisco's Anthony Grieco offers some tips to keep networks and users more secure

RSA CONFERENCE – San Francisco -  It's pretty much impossible to tune out the attention paid to the Internet of Things here at the security industry's largest gathering. While the IoT wins plenty of renown for its granularity, flexibility, and ability to generate lost of useful data, it's also getting dinged for its porous security, if it has any security at all.

End-users and security vendors got a preview of the IoT's vulnerability in October when Dyn Corp.'s network suffered a massive distributed denial-of-service (DDoS) attack, with the Mirai IoT botnet marshaling more than 100,000 infected devices to overwhelm Dyn servers with bogus traffic. And in a Mirai encore, researchers this week revealed the IoT botnet is tapping a new, Windows-based Trojan that helps find potential Mirai victims, and amplifies the Mirai bots distribution, according to a report from TrendLabs, the research arm of Trend Micro.

A conversation at RSA with Anthony Grieco, senior director and trust strategy officer at Cisco, helped shed some additional light on the state of IoT security, and what end-user organizations can do to protect themselves. Cisco, a vocal champion of IoT technologies and capabilities, also taps the IoT for internal applications and services, so Grieco spoke with Dark Reading as much as a user as a vendor of IoT products.

"We have IoT all over our enterprise and we think about how we defend against risks," Grieco says, referring to printers, thermostats and even some building management apps that use IoT technology. "We think a lot about resilience, but IoT drives that conversation."

Not surprisingly, Cisco views the enterprise network as the centerpiece (think backbone switches, routers, and workgroup gear); the network is the place for control, access, and administration that allows customers to enforce policies that govern IoT use and other services. "As the IoT grows, the network becomes the place that drives the policy, connectivity, and capability," Grieco explains. "Something you'll see is the network becoming more aware and able to protect the IoT devices."

More immediately, Grieco suggests implementing 802.1X, a port-based Network Access Control (PNAC) standard that handles authentication of devices trying to connect to a LAN or Wi-Fi network as an IoT security measure.

He's also a fan of virtual segmentation technologies that allow for secure compartmentalization of virtual and network elements to reduce overall vulnerability. Segmentation also helps turn up anomalies more efficiently. "A wireless video camera should not be ordering a book from Amazon, for example," Grieco says with a grin.

There are tangible steps users can take to protect their IoT assets and infrastructure. Grieco encourages having defined policies for each segmented element that details its access and communication rights as thoroughly as possible. He also suggests having a unique identifier for each individual IoT device, "a non-trivial challenge, depending on the deployment," Grieco adds.

Many customers either lack the infrastructure IoT defense and protection, or haven't made capital improvements in a while. And that's to the detriment of their individual businesses; Grieco cites a Cisco survey showing 39% of customers had to suspend a major strategic initiative because of the state of their security. If customers aren't ready from a cybersecurity perspective, it will impede them competitively, he says.

Those recommendations are a good start, given that IoT continues to have security gaps, but there are other areas that need to be considered too, says Merritt Maxim, senior analyst at Forrester. He likes the idea of going beyond device identification to identity identification of the user of the device.

Connected home and connected car environments have a single device but multiple potential users with potentially different levels of authorization, Maxim says. While not required in every device, many still support multiple user profiles. "This could go further and also improve the customer experience as well in a multi-user, single-device home environment," he adds.

Another challenge with managing identity occurs when devices have multiple connected partners or tenants. "You have a hardware vendor, software vendors, and maybe even a services company that need to run some code on a specific device," Maxim says, wondering how the industry can formulate an approach that allows regular, automated software updates in the same way. "Right now, it requires a lot of coordination and manual effort."

If nothing else, the advent of the IoT is helping to push the security conversation across the entire enterprise and not just in the IT department Cisco's Grieco says. "It's gratifying to see security's emergence from a back-office function to security all across your business and something everyone has to be concerned with," he says. "That's the most exciting thing and I see evidence of it here and at other conferences."

Related Content:

Save

Save

Save

Save

Terry Sweeney is a Los Angeles-based writer and editor who has covered technology, networking, and security for more than 20 years. He was part of the team that started Dark Reading and has been a contributor to The Washington Post, Crain's New York Business, Red Herring, ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
7 Tips for Infosec Pros Considering A Lateral Career Move
Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2020
For Mismanaged SOCs, The Price Is Not Right
Kelly Sheridan, Staff Editor, Dark Reading,  1/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment:   It's a PEN test of our cloud security.
Current Issue
IT 2020: A Look Ahead
Are you ready for the critical changes that will occur in 2020? We've compiled editor insights from the best of our network (Dark Reading, Data Center Knowledge, InformationWeek, ITPro Today and Network Computing) to deliver to you a look at the trends, technologies, and threats that are emerging in the coming year. Download it today!
Flash Poll
How Enterprises are Attacking the Cybersecurity Problem
How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-7245
PUBLISHED: 2020-01-23
Incorrect username validation in the registration processes of CTFd through 2.2.2 allows a remote attacker to take over an arbitrary account after initiating a password reset. This is related to register() and reset_password() in auth.py. To exploit the vulnerability, one must register with a userna...
CVE-2019-14885
PUBLISHED: 2020-01-23
A flaw was found in the JBoss EAP Vault system in all versions before 7.2.6.GA. Confidential information of the system property's security attribute value is revealed in the JBoss EAP log file when executing a JBoss CLI 'reload' command. This flaw can lead to the exposure of confidential information...
CVE-2019-17570
PUBLISHED: 2020-01-23
An untrusted deserialization was found in the org.apache.xmlrpc.parser.XmlRpcResponseParser:addResult method of Apache XML-RPC (aka ws-xmlrpc) library. A malicious XML-RPC server could target a XML-RPC client causing it to execute arbitrary code. Apache XML-RPC is no longer maintained and this issue...
CVE-2020-6007
PUBLISHED: 2020-01-23
Philips Hue Bridge model 2.X prior to and including version 1935144020 contains a Heap-based Buffer Overflow when handling a long ZCL string during the commissioning phase, resulting in a remote code execution.
CVE-2012-4606
PUBLISHED: 2020-01-23
Citrix XenServer 4.1, 6.0, 5.6 SP2, 5.6 Feature Pack 1, 5.6 Common Criteria, 5.6, 5.5, 5.0, and 5.0 Update 3 contains a Local Privilege Escalation Vulnerability which could allow local users with access to a guest operating system to gain elevated privileges.