Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Partner Perspectives  Connecting marketers to our tech communities.
SPONSORED BY
3/28/2018
09:00 AM
Simon Eappariello
Simon Eappariello
Partner Perspectives
50%
50%

Getting Ahead of Internet of Things Security in the Enterprise

In anticipation of an IoT-centric future, CISOs must be rigorous in shoring up defenses that provide real-time insights across all network access points.

One of the prevailing critiques of the Internet of Things (IoT) has been targeted at manufacturers who only consider cybersecurity an afterthought. As a result, the burden to protect these devices from massive botnet attacks and hacking attempts generally falls on information security teams and consumers themselves, who are rushing to purchase the latest gadgets – from kids’ toys to smart thermostats – at a faster pace than manufacturers can defend them. 

This is especially worrisome as specialized IoT devices are adopted in specific industries and sectors. Consider the potentially catastrophic consequences if IoT implants used in healthcare are compromised, or IoT tools tracking safety conditions in a factory are rendered nonfunctional by a DDoS attack.

In an attempt to turn the tide on rampant security flaws surrounding IoT in almost every context, the United Kingdom’s Department for Culture Media and Sport – in conjunction with the country’s National Cyber Security Centre – published the "Secure By Design" report, which outlines 13 directives that manufacturers should consider when designing connected products.

IoT Innovation Versus IoT Security
The goal of the guidance is to throttle – only slightly – the rapid pace of innovation with IoT to protect industries and consumers that are already highly vulnerable to cybersecurity threats. It’s an early-stage attempt to regulate the endpoint security on IoT products in the same way the FDA holds food producers to standards of health and safety stateside, barring unfit products from store shelves if they don’t pass muster. The problem here, however, is that all of the guidance is optional, and none of the standards outlined in the report can be enforced.

That said, despite the best early and admirable efforts of the UK government to beef up device-level security, network and information security teams are really going to have to lead the charge in keeping user data protected as the IoT continues to proliferate. In anticipation of an IoT-centric future, chief information security officers will need to make sure that their current network architecture and infrastructure is streamlined and functional to accommodate the larger cybersecurity burdens to come.

Take Stock of All “Periphery” Devices
For starters, it’s important for CISOs to understand the full scope of their organization’s connected footprint. It may sound easy enough, but there are many periphery technologies, multifunction printer/copier/fax machines, for instance, that are less scrutinized than the smart phones or laptops that get the most attention.

Tying up all the loose ends and ensuring that an older fax machine, for instance, enjoys the same protections and feature parity from the security tools servicing tablet computers is essential. This will make it easier to tailor protections for the lower-bandwidth, beacon-sensor communications that the network will need to support in tomorrow’s wider-scale IoT rollouts.

Assign Permissions to Employees and Assets
Network access control (NAC) schemes need to be drafted that anticipate an IoT-heavy future, but with an eye to the past. For instance, controls must be configured that make sure that unrecognized or unauthorized devices aren’t using access to an oft-forgotten printer/copier/fax as a pathway to more valuable network data. This requires teams to not only reference device and user registries – and to update them regularly – when mapping out NAC architectures, but to use security tools that provide real-time traffic insights across all network access points.

The biggest challenge to network security in any context is mapping just how large the scope of connected devices already in use really is. Not only are consumers bringing their own IoT gadgets into the office – Amazon Echos in the C-Suite, for instance, or smart picture frames – but the peripheral technology found in almost every office – security cameras, smart TVs in the lobby – are prime targets by hackers because they often get overlooked.

Until manufacturers can catch up with device-level defenses, IoT cybersecurity will continue to fall on the shoulders of network and security teams, both of which must be rigorous in scrutinizing all network defenses.

Simon Eappariello is the senior vice president of product and engineering, EMIA at iboss. He has a long history working in cybersecurity, networking, and information technology for global organizations in both the private and public sectors. Simon heads up iboss engineering ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Data Privacy Protections for the Most Vulnerable -- Children
Dimitri Sirota, Founder & CEO of BigID,  10/17/2019
Sodinokibi Ransomware: Where Attackers' Money Goes
Kelly Sheridan, Staff Editor, Dark Reading,  10/15/2019
Tor Weaponized to Steal Bitcoin
Dark Reading Staff 10/18/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-18218
PUBLISHED: 2019-10-21
cdf_read_property_info in cdf.c in file through 5.37 does not restrict the number of CDF_VECTOR elements, which allows a heap-based buffer overflow (4-byte out-of-bounds write).
CVE-2019-18217
PUBLISHED: 2019-10-21
ProFTPD before 1.3.6b and 1.3.7rc before 1.3.7rc2 allows remote unauthenticated denial-of-service due to incorrect handling of overly long commands because main.c in a child process enters an infinite loop.
CVE-2019-16862
PUBLISHED: 2019-10-21
Reflected XSS in interface/forms/eye_mag/view.php in OpenEMR 5.x before 5.0.2.1 allows a remote attacker to execute arbitrary code in the context of a user's session via the pid parameter.
CVE-2019-17409
PUBLISHED: 2019-10-21
Reflected XSS exists in interface/forms/eye_mag/view.php in OpenEMR 5.x before 5.0.2.1 ia the id parameter.
CVE-2019-10715
PUBLISHED: 2019-10-21
There is Stored XSS in Verodin Director before 3.5.4.0 via input fields of certain tooltips, and on the Tags, Sequences, and Actors pages.