X

IoT: the Threats Keep on Coming (Part 3)

If you would like to read the other parts in this article series please go to:

Introduction

In Part 1 of this series, we discussed why the Internet of Things presents such a security challenge as it grows and evolves to include so many of the formerly “dumb” but now increasingly “smart” devices, machines and appliances that litter the landscape of our lives. In Part 2, we took a look at some examples of some of the specific vulnerabilities that plague IoT and explored some possible ways to mitigate the threats that so many people don’t even realize exist.

Securing the ‘Net vs. Securing the “Things”

The Internet of Things, as its name indicates, is made up of two parts: There’s the Internet itself – the vast global network of networks that interconnects us through a complex system of nodes – and there are the “things” that send and receive data over it: client and server computers, tablets, phones, wearable devices and all manner of “smart” appliances, gadgets and toys such as TVs, washing machines, refrigerators, ovens, security cameras, other cameras, cars, locks, lights, music systems, thermostats, gaming systems, medical devices, even automated sprinklers and swimming pools.

It’s logical, then, to look at securing the IoT as a two-pronged challenge: Do you attempt to secure the Internet, secure the things individually, or both?

Securing the Internet is, for any one person or one company, an impossible undertaking. It’s too big a job even for the government, although they keep trying to legislate it into a secure state. There are, of course, things that can be done to make it more difficult for hackers and attackers to do their dirty work, just as there are ways to make our city streets safer – but in the end your security efforts are going to come down to what you can do to protect your own local network and the devices that are connected to it (either on premises or remotely), just as most of the control you have over protecting your physical property comes down to measures that you can implement within your own home or office building.

That’s not good news, because if there were some magical way to devise security at the Internet level, it would be much easier (for individuals and businesses) than having to worry about the security of so many separate devices. Similarly, if it were possible to assure physical security at the city limits or state line, none of us would have to bother with locking our doors or buying alarm systems, safes, tall fences and guard dogs. Unfortunately, the larger a physical or virtual “place” is, the more difficult it is to secure it. And the Internet is vast.

That means our job consists mostly of identifying our valuables and then putting up walls around each one, or each group, to protect it. We might think of the valuables as the clients and servers and other devices that our users use to get their work done, or we might go deeper and consider the true valuables to be the sensitive, personal or irreplaceable data that either resides on or is accessible (such as via the cloud account whose credentials are saved locally) through those devices.

Certainly our homes or company premises are physical manifestations of boundaries that define “our” space, our areas of responsibility and control, and those structures are important to us in and of themselves, just as our electronic devices are – even when the edifice is empty or the device has never been set up or used. But our home becomes infinitely more worth protecting after we’ve moved all of our precious “stuff” into it. For most of us, it’s the content (the furniture, clothing, keepsakes, photographs, gifts, collectables, heirlooms and so forth) that matters to us most.

Likewise, a “thing” on the Internet, whether it’s a full-fledged computer, a tablet, a phone, an appliance or some other connected gadget, might be expensive and we might not want to have to spend the money to replace it, but it’s not just the value of the physical object that makes it valuable to us; it becomes far more a focus of our protective efforts when we’ve saved documents, digital pictures, email, configuration preferences, favorite web site addresses and so forth to the device’s storage space, or when the device contains saved user names, passwords, virtual smart cards and other credentials that can be used to log onto secure web interfaces, your company’s VPN, your cloud services, etc.

These “things” – devices and data – will be the main focal point of our discussion on how you can secure the Internet of Things.

IoT security mechanisms: We’ve been here before

The security measures that protect IoT “things” are going to be familiar to anyone who has had any exposure at all to computer and network security. It’s the same old list:

  • Authentication
  • Access controls
  • Firewalling
  • IDS/IPS
  • Antivirus/anti-malware
  • Patching/updating to correct vulnerabilities in the code

The biggest difference isn’t in what needs to be done, but in how it’s implemented. On the other hand, there are some security mechanisms that we’re used to using in the larger space of computer and network security that aren’t practical for IoT devices. Maintaining large blacklists locally can be a problem with IoT devices, which have very limited storage space. The same is true of encryption technologies that put a heavy load on the processor, since that could have a significant negative impact on the performance of the IoT applications.

These devices often have very limited memory, storage and processing power in order to keep them small, inexpensive and to extend battery life, since many of them are portable. In addition, due to the nature of IoT devices, we – the users of the devices and the admins of the networks to which they connect – often don’t have as much control as we do with traditional computers, tablets and smart phones.

That’s because the latter are running general purpose operating systems that are designed for configurability. IoT devices are, in many cases, dedicated systems that are created to do just one thing, and with limited configurability. Interfaces are often very simple and provide few settings options. There are good reasons for this.

From a cost standpoint, the simpler the code and thus the interface, the less it costs to make the device. From a usability standpoint, the simpler the device, the easier it is for users (many/most of whom may be non-tech-savvy consumers) to use the device for its intended purpose without messing things up and causing it to not do what they want it to do. How many of us who support computer users have locked down their computers so they can’t wreak havoc by playing around with settings they don’t understand? Even from a security standpoint, simplification can be an advantage since a user isn’t as easily able to open up attack vectors by misconfiguring security-related settings.

However, the other side of that is that those who do know what they’re doing, security-wise, might not be able to change default settings to make the devices more secure, or even get the information that we need to determine what security risks a device might pose (such as what version of the underlying operating system and the dedicated applications it’s running and when and whether it’s been updated).

That means we have to rely on the device manufacturers to build security into the hardware and software since it will be far more difficult for us to add it than with traditional computers. You can install all sorts of firewalls and AV and other security applications on your traditional desktop or laptop machine, and to some extent on your tablet or phone, but how do you install a firewall on your surveillance camera or your washing machine? You don’t.

What you can do is:

  • Choose your IoT devices wisely. Evaluate the security of different brands/models. Do your homework. Question the manufacturer regarding the device’s security lifecycle, updates, configuration options, etc. before you buy (or allow BYOD devices to connect to your network). Use devices that have built in firewalls and other security, that allow for device-based access controls, and so forth.
  • If you can’t secure the device, secure the rest of the network. Ensure that you have network-based security appliances protecting against common threats. Realize, however, that the not-so-common protocols that are used by some of these devices means your traditional network security mechanisms might not filter them.
  • Make sure available updates and patches are applied in a timely manner. Some devices will give you no choice; updating will be automatic (if and when the device connects to the Internet). Others may allow you to control when updates are applied. Because some IoT devices are continually performing necessary functions, it can be tempting to put off patching – but that can expose the device to attack and compromise security.
  • Get familiar with the devices and how security is implemented. A big part of the problem is that there is so little standardization. Each device is different.

Summary

In parts 1 and 2, we’ve examined the IoT threat landscape and why the Internet of Things poses new security challenges that must be addressed before its potential can be realized. In this, part 3, we gave an overview of security mechanisms that can be used (and some that aren’t practical) for securing IoT devices. In Part 4, we’ll dig a little deeper into that and look at some particular examples.

If you would like to read the other parts in this article series please go to: