By Joseph Dalessandro
October is National Cyber Awareness Month, and we’ll be spotlighting cybersecurity content on the blog all month long.
Love it or despise it, the Internet of Things (IoT) has forever altered human thinking and interaction. Increased telemetry from our bodies through wearable tech and app analysis of data about our health and personal space has led to discovery, identification and interactions with others through apps and smart devices that is the new norm. How will this explosion of devices change our mission objective as security leaders and professionals?
The term IoT is generally applied to “endpoint” objects such as devices, wearables, cameras, chips, toys, and other objects that can be accessed through a connection such as WiFi or other carrier signals and interacted with via the internet. Examples that have become pervasive would be FitBit wearable’s, iWatches, Alexa or Google Home devices, Nest thermostats, and medical devices such as insulin pumps. While these devices are limited in capability, often just one or two functions or a binary state of on/off, the numbers of devices and the absence of uniform minimum security standards from manufacturers present a problem (several actually) for our IT departments Infrastructure management and security professional.
We can easily find statistics about the number of devices that have emerged in earnest since 2008. The 2017 Cisco Visual Networking Index provides a comprehensive view of some of those numbers. Two of my favorite highlights from this report include:
- There will be 3.5 networked devices per capita by 2021 (global population 7.875 times 3.5)
- IP traffic in North America will reach 85 EB per month by 2021 (And North America will not be the highest trafficked global region)
While I am not sure where that bandwidth comes from (I cannot get great consistently streaming bandwidth for Netflix sometimes), what worries me more is patching, tracking and controlling devices. Now, I am not suggesting we control all devices, but I need to control the ones that are on my network because they will increase the potential surface of attack for our networks by orders of magnitude. The more devices you add, outside of implemented and effective controls, the quicker your organization will suffer a breach. Therefore, if you don’t get roles such as patching right you will be lost under the crushing weight of IoT adoption rates. We have to get the “basics” right to ensure we have a foundation capable of integrating IoT devices. We will also need to assess risk and device configuration and a number of other areas we will not venture into here.
In the world of cyber security, people and data are what we most are accustomed to thinking about protecting and defending against. How do we wrap our heads around the potential problems of IoT where the numbers are so much higher? I would submit that we undertake the following approach:
- Get the basics right. There will be a lot of debate about what “get the basics right” means but at a high level, I am referring to:
- Have a comprehensive security program based on risk, with regular assessments
- Identify where all your data is located and ensure it is appropriately categorized
- User access, and privileged access, is controlled and re-certified (access for IoT devices as well)
- Network traffic is premeditated and segmented and network information is logged and monitored (must also scale)
- Systems management has KPI’s and documented configuration baselines or employs a CMDB
- Change Management and patching are religiously observed and followed
- There is a formal incident management/response process (and adjust and augment IR for IoT)
- There is a crisis and contingency management plan that is tested and updated annually
Yup, that was just step 1. Get all this right and you can start to think about being able to control IoT in your ecosystem.
2. Determine the level of increased risk, or changed risk, related to data loss or breach from #3.
3. Augment your information management or data governance policies and processes to encompass IoT increased data creation and interaction.
4. Determine the physical limits or extensions of IoT devices. Can users outside your physical location use devices or access devices inside your physical location? Do you need to limit (or attempt to limit) the carrier signal outside your four walls?
5. Hire a competent and qualified leader to bridge between security and IT. Brandeis Information Security Leadership graduates are great candidates.
IoT is a big problem that can seem overwhelming, where unpatched devices can increase your threat surface by orders of magnitude. Remember, getting the basics right will see you treating IoT with the same risk strategy that has allowed you to manage technology risk.
Joseph (Joe) Dalessandro is the program chair of the Information Security Leadership program at Brandeis University Graduate Professional Studies, and the Head of Security & Technology Audit and Audit Data Analytics, Australian Unity.
Brandeis GPS offers a Master’s of Science in Information Security Leadership. The part-time, fully online program prepares graduates for leadership roles in information security with a cutting-edge, industry relevant curriculum that builds leadership savvy and skill in leveraging technical know-how. For more information, contact firstname.lastname@example.org, call 781-736-8787 or visit www.brandeis.edu/gps.