IOT Blog Series - Part One - Familiarity, Visibility, Responsibility

This is the start of a series of articles about the Internet of Things (IoT). There is a lot of hype around risks associated with compromised IoT devices and the purpose of this series is to help executives and technologists deal with these risks in a holistic manner.

First, we should agree what IoT devices are. For the purposes of these posts I am going to define IoT devices as any device other than a computer, server or networking hardware that is connected to a network. Generally I’m looking at this from a business perspective although much of this thinking can be applied to consumer devices in and around the modern home.

Why is IoT different than the rest of the devices on my network?

  1. Familiarity

  2. Visibility

  3. Responsibility

Familiarity: Your typical IT department has many years of experience securing Windows desktops, installing anti-virus software and configuring the Cisco firewall that sits at the edge of a network. There are well established configuration standards, processes and experts within organizations to deal with these devices. IoT devices are often new to IT, these devices are often managed by a third party vendor or the cafeteria staff (in the case of the wifi-enabled toaster) or the building security contractor. Not only are the devices new to IT but so are the underlying technologies that power the devices. They’re often running less common operating systems, using protocols IT is less familiar with (RabbitMQ, Zigbee) and often no access is provided to the devices to IT.

The bottom line is that there is an unfamiliarity with the devices and the underlying technologies the devices rely upon.  Time and training will gradually address this issue.

Visibility: How confident are you that you have a detailed inventory of all the IoT devices on your network or that your organization relies upon to some degree? How long would it take you to discover a new IoT device had been added to your network?

Even in organizations that have an awareness that IoT devices carry a set of risks these teams are often surprised at how many internet connected devices are actually in their facilities.  

Addressing the visibility gap is about automated detection tools residing in your network, policies about involving IT for any device with an IP address and keeping a detailed inventory of the devices. Second only to having an inventory, the most important next step is that the inventory identifies the responsibility hierarchy for these devices.

Responsibility: I think the biggest thing that is impacting the security of IoT devices, is a lack of a clear responsibility hierarchy.  If I asked you who in your organization is responsible for protecting your CEO’s Windows laptop from hackers you probably wouldn’t need to think too hard. Joe, our Chief Information Officer. Or Bill, our Network Administrator.

If I instead asked who is responsible for the security of the administration console for the IP Video surveillance camera in your front lobby, or who is the person who is confident they are in control of all the access credentials for your buildings intrusion alarm, the answer would probably take a bit more thinking.

IoT devices are often introduced by a variety of people across the organization. HR brings in a xBox and internet enabled fridge for the staff party. The facility AV tech brings in a “smart TV” for the boardroom (that just so happens to have a camera and microphone connected to an internal computer that got a firmware update --- never). The generator maintenance technician that connects the generator controller to the network for remote programming. The intrusion alarm company that supplies the workstation that you program new building access fobs with. All these are examples of devices that are connected to the network but not necessarily ordered and managed by IT.

For every device on the network it is critical to identify who is responsible for:

  • Approval of the device being connected to the network

  • Identifying the storage locations of and approval for the collection of any personal or corporate information collected by the device

  • Device updates

  • Security review of the device

If the answer is the vendor, what level of trust do we have that the vendor will be doing security updates, rotating credentials when their staff leave, etc, etc.


This brings us to our next topic in the IoT Blog Series….Supply Chain Risk

This article was written by Ryan Wilson, a member of the Sky Northern Security Alliance. If you'd like assistance looking at your IoT security, drop us a service request and we'll get in touch.

Vulnerability Management – not bleeding edge but still critical

by Ritchie Leslie, Credo Trust

This week I attended the Privacy & Security Conference at Thompson Rivers University in Kamloops.  Kudos to TRU for an excellent day jam packed with good presentations.

One of the presenters from a large institution talked about their experience managing their way through a successful ransomware attack that disabled several critical applications and the effort required to pick up the pieces and move forward afterwards.  The speaker was compelling, but two points jumped out to me during the session.

First was the mention that the ransomware infected their IT systems through a vulnerability.  Second was the point that in the mopping up phase one of the follow up actions was the establishment of a comprehensive vulnerability management program.   I found myself wondering if the two were connected.

Simply put, a decent vulnerability management program scans an environment for known vulnerabilities, provides actionable information on the riskiest vulnerabilities to the right people responsible for remediation (often but not always through patching), workflow features to enable remediation and reporting to management and business stakeholders on trends over time for high risk vulnerabilities and remediation efficiency.

In our experience at Credo Trust, too many organizations take a tick-the-box approach to the scanning part and ignore the effectiveness and efficiency of remediation, if indeed it’s done at all.  It’s just like a farmer knowing that the cows are in a field where the gate to the road is open, and not doing anything about it.

The vulnerabilities picked up by a scanner are the easiest points of attack.  They need to be fixed. We have to continue to educate stakeholders that this may not be as bleeding edge as using an AI engine to analyze possible hostile traffic, but it’s foundational and important in any decent IT security program.  If you’re interested in learning more check out our website at www.credovm.com amongst other sources.

Credo Trust is a member of the Sky Northern Security Alliance specializing in vulnerability management. If you'd like assistance with your vulnerability management program, get in touch via a service request.

 

Security is everyone's job.

by Michael Argast, Sky Northern Inc

One of the biggest challenges we face in Information Security is the need to pivot from it being a priesthood - the role of a select few who have the arcane knowledge and power - to a religion which has been adopted by the masses. 

The term ‘computer’ used to mean ‘one who computes’ - it was a job description rather than a physical device. As time progressed, we had armies of specially trained people who would program massive room sized devices. As computers became more powerful, smaller and ubiquitous, we moved from it being a specialized professional tool to something a two-year old could pick up and use. 

Today, we expect everyone in a professional environment to have computer skills. They could be rudimentary - Microsoft Office, Outlook, they could be specialized (AutoCad and Engineering). Not everyone is expected to have every skill, but everyone is expected to have the skills necessary to do their job.

I propose we need to move to this approach in security. Instead of security skills being a talent that is hidden deep in a priesthood, it needs to be part of everyone’s job. 

The receptionist needs to be not only skilled on phones, greetings, taking messages - but also skilled in avoiding social engineering techniques.

The physical security guards for an office building need to be looking out not only for people stealing atoms, but also people stealing bits.

Developers need to have skills not only in Java, Swift, C++ and PHP, but also the security development life cycle, fuzzing, buffer overflows and input validation.

The CFO needs to have skills not only in financial management, internal rate of return calculations and foreign exchange hedging, but also recognizing and avoiding business email scams.

HR needs to not only have skills in hiring, talent management and benefits plan analysis, but also background and criminal checks, strategies for dealing with inappropriate use of systems.

Until we bring security out of the shadows, and into the light, we will continue to struggle. It is only when we properly integrate security into everything we do that we will start to turn the corner. 

Security is everyone’s job, let’s get to work.

 

Thanks for reading! If you'd like assistance with your security awareness programming, the security of your DevOps program or assistance in developing a security strategy for your organization, get in touch via a services request.