Five Key Risk and Security Considerations for Internet of Things
The Internet of Things (IoT) exponentially expands the threat and vulnerability landscape with which an organization or individual who uses them must contend. The notion of “you are only as strong as your weakest link” takes on new meaning with the introduction of IoT devices. Risk and security professionals now must consider devices and items that were once considered out of scope, such as door locks, thermostats, digital video recorders and appliances. These devices can become the attack source and probable targets of attack, so risk and security professionals need to consider them as they perform their threat and vulnerability analysis activities. As with any risk and security conversation, there will be trade-offs that may affect risk-based decisions at every step of development, deployment, operation, monitoring and response for the emerging IoT world.
IoT will challenge manufacturers of devices, operators, and risk and security professionals to think differently and progressively about security. The need for security to be comprehensively and continuously considered and addressed in IoT technologies and capabilities is clear. The question now becomes how effective will manufacturers and risk and security professionals be at identifying and addressing them? There are many risk and security considerations that organizations and individuals must consider as IoT becomes less of a concept and more of a reality. The following 5 areas are risk and security considerations to make:
- Every endpoint is a potential entry point—The proliferation of IoT will bring about an exponential increase in the number of devices that are attached to networks. IoT devices will need bidirectional network communication to both internal networks and the Internet to operate effectively. Each of these endpoints now becomes a point of consideration and concern for risk and security, since each of them is potentially an entry point for an adversary into internal networks to which they have access.
IoT devices are likely to be built by numerous manufactures, on multiple open-source and proprietary operating systems, and these systems have various levels of computing power, storage and network throughput. Each IoT endpoint will need to be identified and profiled, added to an asset inventory, and monitored for health and safety. IoT devices are likely to become advantageous attack points for adversaries due to these factors and because organizations and individuals will be unable to adequately monitor them or efficiently address the security of them.
- Adversaries can leverage IoT devices for attacks—There have been recent attacks that demonstrate how IoT devices can be used by attackers to carry out effective and business-impacting attacks. In the case of Brian Krebs, a popular security reporter and blogger, his web presence was impacted by a distributed denial-of-service (DDoS) attack that originated from a large collection of digital video recorders and other seemingly benign network-enabled devices. The source code for the applications used in the attack, “Mirai,” has been released to the hacking community and is now available for widespread use by adversaries, which increases the likelihood of similar attacks in the future. Traditionally, DDoS attacks of the magnitude that were used against Krebs would have been extremely costly to carry out due to the number of originating systems that would have to be captured and controlled, resulting in a high cost of entry for this kind of attack. But with the emergence of IoT devices being used as source devices, this is no longer the case, and the barriers of entry to carry out an attack of this type are now much lower or even nonexistent.
It should also be understood that IoT devices will now need to be considered as sources of advanced and sophisticated attacks. IoT devices are likely to operate using a version of the Linux operating system or some other popular operating system, which means that the attack tools that are available now and continue to be built in the future will operate on these devices. Your toaster may become the source of a significant and business impacting attack against your own environment or someone else’s in in the future if it is not properly considered, protected and monitored.
- Data collection of IoT devices needs to be understood—IoT devices are likely to gather, store, process and transmit a significant amount of nonpublic personal information (NPPI) or personally identifiable information (PII), either intentionally or unintentionally. These data have the potential to be used by adversaries to gain intelligence about individuals or organizations and its own vulnerabilities that could be exploited. Since these devices will not be easily recognized for the data that they gather or interact with, it will be important to have a full understanding and disclosure of how the device operates and the data with which it works. Only then can appropriate information risk and security analysis and consideration be made.
An example of this type of situation can be found in the telemetry data of network-connected door locks. In these devices, users are often given individual access codes and provisions that provide unique data about user access activities and their movements within a secured facility. These movements can be correlated with other data points to build a profile of an individual’s movements and activities, which can be exploited as part of an attack scheme by an adversary.
- IoT manufacturers may not consider risk and security appropriately in their products—Enabling network connectivity for devices that traditionally did not incorporate information technology into their function and design will require manufacturers to develop new capabilities, provide new support functions and integrate security capabilities into their products. Manufacturers may not realize the risk and security considerations, impacts, and/or requirements that they need to consider, which creates the opportunity for vulnerable devices to be produced. Consider that numerous early generation network-connected door locks from traditional lock manufactures were found to be easily compromised and often missing basic security features, such as complex passwords, encryption and software that was vulnerable to items listed in the Open Web Application Security Project (OWASP) Internet of Things Top 10 Vulnerability Categories for IoT devices.
It is important for risk and security professionals to develop evaluation methods, practices and criteria to evaluate IoT devices prior to their introduction to an environment or connection to internal and external networks. A comprehensive threat and vulnerability analysis should be performed to identify the possible, probable and materially impacting threats. This analysis can then be used to inform an individual or organization about the material threats and vulnerabilities so they can be factored into a risk assessment prior to introduction and use.
- Patching, configuration management and maintenance becomes exponentially more difficult—Good IT hygiene is core to any successful risk and security strategy. Key elements of IT hygiene include patching, configuration management and system maintenance. The introduction of IoT devices will make this already daunting task exponentially more difficult. It is essential that IoT devices can be centrally managed, configured and maintained to ensure effective and appropriate risk and security measures can be implemented and maintained. When reviewing IoT solutions and devices, risk and security professionals need to consider how they will ensure all devices will be maintained, how responsive manufactures will be to identify and remediate vulnerabilities, and ensure that they understand their options for implementing compensating controls when manufacturer-produced fixes are not readily available or able to be easily introduced.
John P. Pironti, CISA, CRISC, CISM, CGEIT, CISSP, ISSAP, ISSMP, is the president of IP Architects LLC.
Reducing Incident Response Time Webinar
It takes, on average, 147 days to find and respond to security breaches. While this response time has been decreasing over the years, it could be even lower. ISACA and PhishMe have partnered to present the “How Prairie Dogs Improve Incident Response” webinar, which can help enterprises reduce their incident response time. This webinar will take place on 6 April at 12PM CDT (UTC -5 hours). ISACA members can earn 1 continuing professional education (CPE) hour by attending this webinar and passing a related quiz.
In this roundtable webinar, Rohyt Belani, cofounder and chief executive officer of PhishMe, Joe Burkard, CISA, CISM, CISSP, chief information security officer and director of IT security at Sidley Austin LLP, and Todd Fitzgerald, CISA, CRISC, CISM, CGEIT, senior vice president and chief administrative officer of Information Security and Technology Risk at Northern Trust, will discuss the detection techniques of prairie dogs and how they can be applied to cyber security. They will also discuss real-life examples of phishing emails that bypassed technological security measures but were stopped by employees.
To learn more about this webinar or to register for it, visit the How Prairie Dogs Improve Incident Response page of the ISACA website.
Spanish Translations of Full ISACA Journal Issues
ISACA is now offering Spanish translations of the ISACA Journal. Going forward, these full-issue translations will be available for each Journal issue. The translations will be available 1-2 months after each Journal issue is released. ISACA membership is required to view these translated Journal issues. Volumes 3-6, 2016, and volume 1, 2017, of the Journal are currently available. ISACA thanks the Santiago (Chile) Chapter for donating these translations.
The Spanish translations can be viewed on the Spanish page of the ISACA website or on the Journal page of the ISACA website.
ISACA Certifications Are a Prerequisite in Hong Kong
The Hong Kong Monetary Authority’s (HKMA) Cyber Resilience Assessment Framework outlines the prerequisites necessary to be an assessor working with the framework. ISACA’s Certified Information Systems Auditor (CISA), Certified in Risk and Information Systems Control (CRISC), and Certified Information Security Manager (CISM) certifications along with the Cybersecurity Nexus (CSX) Fundamentals and Practitioner certifications are prerequisites for assessors working with the Cyber Resilience Assessment Framework. The HKMA holds ISACA certifications in high regard, and those with these certifications benefit from improved job opportunities.
For financial institutions, CISA, CRISC, CISM and the Certified in the Governance of Enterprise IT (CGEIT) certifications are recommended for bank security practitioners and this recommendation is outlined in the HKMA Enhanced Competency Framework.
For more information on the CISA, CRISC, CISM or CGEIT certification, visit the Certification page of the ISACA website. Information on the CSX Fundamentals or Practitioner certification can be found on the CSX Credentialing page of the ISACA website.