Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Partner Perspectives  Connecting marketers to our tech communities.
SPONSORED BY
3/28/2018
09:00 AM
Simon Eappariello
Simon Eappariello
Partner Perspectives
50%
50%

Getting Ahead of Internet of Things Security in the Enterprise

In anticipation of an IoT-centric future, CISOs must be rigorous in shoring up defenses that provide real-time insights across all network access points.

One of the prevailing critiques of the Internet of Things (IoT) has been targeted at manufacturers who only consider cybersecurity an afterthought. As a result, the burden to protect these devices from massive botnet attacks and hacking attempts generally falls on information security teams and consumers themselves, who are rushing to purchase the latest gadgets – from kids’ toys to smart thermostats – at a faster pace than manufacturers can defend them. 

This is especially worrisome as specialized IoT devices are adopted in specific industries and sectors. Consider the potentially catastrophic consequences if IoT implants used in healthcare are compromised, or IoT tools tracking safety conditions in a factory are rendered nonfunctional by a DDoS attack.

In an attempt to turn the tide on rampant security flaws surrounding IoT in almost every context, the United Kingdom’s Department for Culture Media and Sport – in conjunction with the country’s National Cyber Security Centre – published the "Secure By Design" report, which outlines 13 directives that manufacturers should consider when designing connected products.

IoT Innovation Versus IoT Security
The goal of the guidance is to throttle – only slightly – the rapid pace of innovation with IoT to protect industries and consumers that are already highly vulnerable to cybersecurity threats. It’s an early-stage attempt to regulate the endpoint security on IoT products in the same way the FDA holds food producers to standards of health and safety stateside, barring unfit products from store shelves if they don’t pass muster. The problem here, however, is that all of the guidance is optional, and none of the standards outlined in the report can be enforced.

That said, despite the best early and admirable efforts of the UK government to beef up device-level security, network and information security teams are really going to have to lead the charge in keeping user data protected as the IoT continues to proliferate. In anticipation of an IoT-centric future, chief information security officers will need to make sure that their current network architecture and infrastructure is streamlined and functional to accommodate the larger cybersecurity burdens to come.

Take Stock of All “Periphery” Devices
For starters, it’s important for CISOs to understand the full scope of their organization’s connected footprint. It may sound easy enough, but there are many periphery technologies, multifunction printer/copier/fax machines, for instance, that are less scrutinized than the smart phones or laptops that get the most attention.

Tying up all the loose ends and ensuring that an older fax machine, for instance, enjoys the same protections and feature parity from the security tools servicing tablet computers is essential. This will make it easier to tailor protections for the lower-bandwidth, beacon-sensor communications that the network will need to support in tomorrow’s wider-scale IoT rollouts.

Assign Permissions to Employees and Assets
Network access control (NAC) schemes need to be drafted that anticipate an IoT-heavy future, but with an eye to the past. For instance, controls must be configured that make sure that unrecognized or unauthorized devices aren’t using access to an oft-forgotten printer/copier/fax as a pathway to more valuable network data. This requires teams to not only reference device and user registries – and to update them regularly – when mapping out NAC architectures, but to use security tools that provide real-time traffic insights across all network access points.

The biggest challenge to network security in any context is mapping just how large the scope of connected devices already in use really is. Not only are consumers bringing their own IoT gadgets into the office – Amazon Echos in the C-Suite, for instance, or smart picture frames – but the peripheral technology found in almost every office – security cameras, smart TVs in the lobby – are prime targets by hackers because they often get overlooked.

Until manufacturers can catch up with device-level defenses, IoT cybersecurity will continue to fall on the shoulders of network and security teams, both of which must be rigorous in scrutinizing all network defenses.

Simon Eappariello is the senior vice president of product and engineering, EMIA at iboss. He has a long history working in cybersecurity, networking, and information technology for global organizations in both the private and public sectors. Simon heads up iboss engineering ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
7 Tips for Infosec Pros Considering A Lateral Career Move
Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2020
For Mismanaged SOCs, The Price Is Not Right
Kelly Sheridan, Staff Editor, Dark Reading,  1/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
IT 2020: A Look Ahead
Are you ready for the critical changes that will occur in 2020? We've compiled editor insights from the best of our network (Dark Reading, Data Center Knowledge, InformationWeek, ITPro Today and Network Computing) to deliver to you a look at the trends, technologies, and threats that are emerging in the coming year. Download it today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-3154
PUBLISHED: 2020-01-27
CRLF injection vulnerability in Zend\Mail (Zend_Mail) in Zend Framework before 1.12.12, 2.x before 2.3.8, and 2.4.x before 2.4.1 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via CRLF sequences in the header of an email.
CVE-2019-17190
PUBLISHED: 2020-01-27
A Local Privilege Escalation issue was discovered in Avast Secure Browser 76.0.1659.101. The vulnerability is due to an insecure ACL set by the AvastBrowserUpdate.exe (which is running as NT AUTHORITY\SYSTEM) when AvastSecureBrowser.exe checks for new updates. When the update check is triggered, the...
CVE-2014-8161
PUBLISHED: 2020-01-27
PostgreSQL before 9.0.19, 9.1.x before 9.1.15, 9.2.x before 9.2.10, 9.3.x before 9.3.6, and 9.4.x before 9.4.1 allows remote authenticated users to obtain sensitive column values by triggering constraint violation and then reading the error message.
CVE-2014-9481
PUBLISHED: 2020-01-27
The Scribunto extension for MediaWiki allows remote attackers to obtain the rollback token and possibly other sensitive information via a crafted module, related to unstripping special page HTML.
CVE-2015-0241
PUBLISHED: 2020-01-27
The to_char function in PostgreSQL before 9.0.19, 9.1.x before 9.1.15, 9.2.x before 9.2.10, 9.3.x before 9.3.6, and 9.4.x before 9.4.1 allows remote authenticated users to cause a denial of service (crash) or possibly execute arbitrary code via a (1) large number of digits when processing a numeric ...