INFORMATION AUGUST 2014
EDITOR’S DESK: INTERNET OF THINGS AND ECURITY SECURITY S Insider Edition SECURING THE INTERNET OF THINGS The emerging Internet of Things raises new security concerns and puts a spin on old ones. In this Insider Edition, InfoSec pros find out how to assess IoT risks and create an effective IoT security policy. IS YOUR SECURITY PROGRAM READY FOR THE INTERNET OF THINGS?
WHO’S IN CHARGE HERE? SECURING THE INTERNET OF THINGS EDITOR’S DESK
The Benefits of the Internet of Things HOME
EDITOR’S DESK Can’t Overshadow Security Concerns
SEVEN IOT RISKS While connecting billions of new devices to the Internet offers many advantages, YOU MUST CONSIDER organizations must also manage the risks involved. BY BRANDAN BLEVINS
IS YOUR SECURITY PROGRAM READY FOR THE INTERNET OF THINGS?
WHO’S IN CHARGE HERE? SECURING THE INTERNET OF THINGS
Y 2015, CISCO predicts that around 25 bil- enterprise IoT risks today, some of which will look famil- lion devices will be connected to the iar on first glance: DDoS attacks, patch management chal- Internet. That number is expected to lenges and traffic analytics. The nature and number of IoT double by 2020. This web of Internet- devices puts a twist on those risks, though. connected devices, dubbed the Inter- In the other features, we explore some of the challen- net of Things, has been touted by tech giants as a way to ges associated with securing IoT devices. Experts say the Befficiently share data and improve lives. Indeed, we’ve devices may not have the processing power to run security already seen compelling products introduced, and the software, while debate also remains over which party is companies creating these items are profiting from API even responsible for securing the Internet of Things. monetization schemes and other efforts. Numerous enterprises may see IoT as a potential gold Still, the danger associated with connecting billions rush, but security can’t be ignored. This Insider Edition of potentially vulnerable devices—many of which share will help enterprises achieve the benefits associated with sensitive data—to the Internet has not been discussed the Internet of Things while containing the risk. n enough. This Insider Edition aims to explore those risks and how organizations can mitigate them. First, ex- BRANDAN BLEVINS is the news writer for TechTarget Security pert Ajay Kumar enumerates seven of the most pressing Media Group
2 INFORMATION SECURITY INSIDER EDITION / SECURING THE INTERNET OF THINGS n AUGUST 2014 COVER STORY: RISKS
HOME SEVEN IoT RISKS EDITOR’S DESK
SEVEN IOT RISKS YOU MUST YOU MUST CONSIDER
IS YOUR SECURITY CONSIDER PROGRAM READY FOR THE INTERNET THE DAY WHEN virtually every electronic device—from OF THINGS? The Internet of Things is phones and cars to refrigerators and light switches—will be connected to the Internet is not far away. The number WHO’S IN CHARGE HERE? growing fast, and so are the SECURING THE of Internet-connected devices is growing rapidly and is INTERNET OF THINGS risks. Here are seven risks expected to reach 50 billion by 2020. that must be taken into account However innovative and promising it seems, this so- when planning at IoT policy. called Internet of Things (IoT) phenomenon significantly increases the number of security risks businesses and con- sumers will inevitably face. Any device connecting to the Internet with an operating system comes with the possi- bility of being compromised, becoming a backdoor for at- tackers into the enterprise. In this feature, I discuss the proliferation of the In- ternet of Things and explore what enterprises can do to manage the security risks associated with IoT devices.
WHAT IS THE IoT? WHY IS IT GROWING IN POPULARITY? The IoT sensation is rapidly embracing entire societies By Ajay Kumar and holds the potential to empower and advance nearly each and every individual and business. This creates
3 INFORMATION SECURITY INSIDER EDITION / SECURING THE INTERNET OF THINGS n AUGUST 2014 COVER STORY: RISKS
tremendous opportunities for enterprises to develop new often not designed with security as a primary consider- HOME services and products that offer increased convenience ation, vulnerabilities are present in virtually all of them—
EDITOR’S DESK and satisfaction to their consumers. just look at the amount of malware that is targeting On the user side, Google recently announced that it is Android-based devices today. Similar threats will likely SEVEN IOT RISKS partnering with major automakers Audi, General Motors proliferate among IoT devices as they catch on. YOU MUST CONSIDER and Honda to put Android-connected cars on the roads. Enterprises and users alike must be prepared for the IS YOUR SECURITY Google is currently developing a new Android platform numerous issues of IoT. Listed below are seven of the PROGRAM READY FOR THE INTERNET that connects these cars to the Internet. Soon, car own- many risks that are inherent in an Internet of Things OF THINGS? ers will be able to lock or unlock their vehicles, start the world, as well as suggestions to help organizations pre- engine or even monitor vehicle performance from a com- pare for the challenge. WHO’S IN CHARGE HERE? SECURING THE puter or smartphone. INTERNET OF THINGS The promises of IoT go far beyond those for individual DISRUPTION AND users. Enterprise mobility management is a rapidly evolv- DENIAL-OF-SERVICE ATTACKS ing example of the impact of IoT devices. Imagine if sud- 1 Ensuring continuous availability of IoT-based denly every package delivered to your organization came devices is important to avoid potential opera- with a built-in RFID chip that could connect to your net- tional failures and interruptions to enterprise services. work and identify itself to a connected logistics system. Even the seemingly simple process of adding new end- Or picture a medical environment in which every instru- points into the network—particularly automated devices ment in the exam room is connected to the network to that work under the principle of machine-to-machine transmit patient data collected via sensors. Even in indus- communications like those that help run power stations tries like farming, imagine if every animal were digitally or build environmental controls—requires businesses to tracked to monitor its location, health and behavior. The focus attention on physical attacks on the devices in re- IoT possibilities are limitless, and so is the number of de- mote locations. As a result, the business must strengthen vices that could manifest. physical security to prevent unauthorized access to de- However, despite the opportunities of IoT, it also vices outside of the security perimeter. comes with many risks. Any device that can connect to Disruptive cyberattacks, such as distributed denial-of- Internet has an embedded operating system deployed in service attacks, could have new detrimental consequences its firmware. Because embedded operating systems are for an enterprise. If thousands of IoT devices try to access
4 INFORMATION SECURITY INSIDER EDITION / SECURING THE INTERNET OF THINGS n AUGUST 2014 COVER STORY: RISKS
a corporate website or data feed that isn’t available, for- devices must be designed with security in mind, and in- HOME merly happy customers will become frustrated, resulting corporate security controls, using a pre-built role-based
EDITOR’S DESK in revenue loss, customer dissatisfaction and potentially security model. Because these devices have hardware, poor reception in the market. platforms and software that enterprises may never have SEVEN IOT RISKS Many of the challenges inherent to IoT are similar to seen before, the types of vulnerabilities may be unlike YOU MUST CONSIDER those found in a bring your own device environment. Ca- anything organizations have dealt with previously. It’s IS YOUR SECURITY pabilities for managing lost or stolen devices—either re- critical not to underestimate the elevated risk many IoT PROGRAM READY FOR THE INTERNET mote wiping or at least disabling their connectivity—are devices may pose. OF THINGS? critical for dealing with compromised IoT devices. Hav- ing this enterprise strategy in place helps mitigate the IoT VULNERABILITY MANAGEMENT WHO’S IN CHARGE HERE? SECURING THE risks of corporate data ending up in the wrong hands. Another big challenge for enterprises in an IoT INTERNET OF THINGS Other policies that help manage BYOD could also be 3 environment is figuring out how to quickly beneficial. patch IoT device vulnerabilities—and how to prioritize vulnerability patching. UNDERSTANDING THE Because most IoT devices require a firmware update COMPLEXITY OF VULNERABILITIES to patch vulnerabilities, the task can be complex to ac- 2 Last year, an unknown attacker used a known complish on the fly. For example, if a printer requires vulnerability in a popular Web-connected baby firmware upgrading, IT departments are unlikely to be monitor to spy on a two-year-old. This eye-opening in- able to apply a patch as quickly as they would in a server cident goes to show what a high risk the IoT poses to or desktop system; upgrading custom firmware often re- enterprises and consumers alike. In a more dramatic ex- quires extra time and effort. ample, imagine using an IoT device like a simple ther- Also challenging for enterprises is dealing with the de- mostat to manipulate temperature readings at a nuclear fault credentials provided when IoT devices are first used. power plant. If attackers compromise the device, the con- Often, devices such as wireless access points or printers sequences could be devastating. Understanding where come with known administrator IDs and passwords. On vulnerabilities fall on the complexity meter—and how top of this, devices may provide a built-in Web server to serious of a threat they pose—is going to become a huge which admins can remotely connect, log in and manage dilemma. To mitigate the risk, any project involving IoT the device. This is a huge vulnerability that can put IoT
5 INFORMATION SECURITY INSIDER EDITION / SECURING THE INTERNET OF THINGS n AUGUST 2014 COVER STORY: RISKS
devices into attackers’ hands. This requires enterprises Internet-connected devices, and then implementing ef- HOME to develop a stringent commissioning process. It also re- fective controls. Given the diversity that exists among
EDITOR’S DESK quires them to create a development environment where these devices, organizations should conduct customized the initial configuration settings of the devices can be risk assessments to identify the dangers and determine SEVEN IOT RISKS tested, scanned to identify any kind of vulnerabilities they how best to contain them. YOU MUST CONSIDER present and validated, allowing the organization to ad- An interesting recent example was the case of former IS YOUR SECURITY dress any issues before the device is moved into the pro- Vice President Dick Cheney disabling the remote con- PROGRAM READY FOR THE INTERNET duction environment. This further requires a compliance nectivity of a defibrillator implanted in his chest. Unfor- OF THINGS? team to certify that the device is ready for production, tunately most enterprises don’t have the luxury of taking test the security control on a periodic basis and make sure these devices offline. In any event, organizations that WHO’S IN CHARGE HERE? SECURING THE that any changes to the device are closely monitored and embrace IoT must define their own information security INTERNET OF THINGS controlled and that any operational vulnerabilities found controls to ensure the acceptable and adequate protection are addressed promptly. of the IoT evolution. As the trend matures, best practices will certainly emerge from industry professionals. IDENTIFYING, IMPLEMENTING SECURITY CONTROLS FULFILLING THE NEED FOR 4 In the IT world, redundancy is critical; should SECURITY ANALYTICS CAPABILITIES one product fail, another is there to take over. 5 The variety of new Wi-Fi-enabled devices con- The concept of layered security works similarly, but it re- necting to the Internet creates a flood of data mains to be seen how well enterprises can layer security for enterprises to collect, aggregate, process and analyze. and redundancy to manage IoT risk. For example, in the While organizations can identify new business opportuni- healthcare industry, medical devices are available that not ties based on this data, new risks emerge as well. only monitor patients’ health statuses, but also dispense With all of this data, organizations must be able to medicine based on analysis these devices perform. It’s identify legitimate and malicious traffic patterns on IoT easy to imagine how tragic consequences could result if devices. For example, if an employee tries to download these devices became compromised. a seemingly legitimate app onto a smartphone that con- The challenges for enterprises lie in identifying where tains malware, it is critical to have actionable threat intel- security controls are needed for this emerging breed of ligence measures in place to identify the threat. The best
6 INFORMATION SECURITY INSIDER EDITION / SECURING THE INTERNET OF THINGS n AUGUST 2014 COVER STORY: RISKS
analytical tools and algorithms not only detect malicious observed, largely due to streaming media, peer-to-peer HOME activity, but also improve customer support efforts and applications and social networking. As more devices
EDITOR’S DESK improve the services being offered to the customers. connect to the Internet, this number will continue to To prepare for these challenges, enterprises must grow. SEVEN IOT RISKS build the right set of tools and processes required to pro- However, the increased demand for the Internet YOU MUST CONSIDER vide adequate security analytics capabilities. will potentially proliferate business continuity risks. IS YOUR SECURITY If critical applications do not receive their required band- PROGRAM READY FOR THE INTERNET MODULAR HARDWARE width, consumers will have bad experiences, employee OF THINGS? AND SOFTWARE COMPONENTS productivity will suffer and enterprise profitability could Security should be considered and imple- fall. WHO’S IN CHARGE HERE? 6 SECURING THE mented in every aspect of IoT to better control To ensure high availability of their services, enter- INTERNET OF THINGS the parts and modules of Internet-connected devices. prises must consider adding bandwidth and boosting Because attackers often exploit vulnerabilities in IoT traffic management and monitoring. This not only miti- devices after they have been implemented, organizations gates business continuity risks, but also prevents potential should consider a security paradigm like the Forrester losses. In addition, from the project-planning stand- Zero Trust model for these devices. point, organizations should carry out capacity planning Where possible, enterprises should proactively set and watch the growth rate of the network so that the in- the stage by isolating these devices to their own network creased demand for the required bandwidth can be met. segment or VLAN. Additionally, technologies such as micro-kernels or hypervisors can be used with embedded CONCLUSION systems to isolate the systems in the event of a security The Internet of Things has great potential for the con- breach. sumer as well as for enterprises, but not without risk. Information security organizations must begin prepara- RAPID DEMAND IN tions to transition from securing PCs, servers, mobile BANDWIDTH REQUIREMENT devices and traditional IT infrastructure, to managing a 7 A Palo Alto Networks Inc. study revealed much broader set of interconnected items incorporating that between November 2011 and May 2012, wearable devices, sensors and technology we can’t even network traffic jumped 700% on networks the vendor foresee currently. Enterprise security teams should take
7 INFORMATION SECURITY INSIDER EDITION / SECURING THE INTERNET OF THINGS n AUGUST 2014 COVER STORY: RISKS
the initiative now to research security best practices to in what will be an increasingly interconnected digital HOME secure these emerging devices, and be prepared to update world. n
EDITOR’S DESK risk matrices and security policies as these devices make their way onto enterprise networks to enable machine- SEVEN IOT RISKS to-machine communication, huge data collection and AJAY KUMAR is an information security manager who has YOU MUST CONSIDER been working for a decade in the information security and risk numerous other uses. This increased complexity within management domain, and has expertise in cybersecurity, identity IS YOUR SECURITY the enterprise shouldn’t be overlooked, and threat model- and access management, security operations management, data PROGRAM READY FOR THE INTERNET ing will be necessary to ensure basic security principal of protection, cloud security and mobile security. Ajay can be reached OF THINGS? confidentiality, integrity and availability are maintained at [email protected].
WHO’S IN CHARGE HERE? SECURING THE INTERNET OF THINGS
8 INFORMATION SECURITY INSIDER EDITION / SECURING THE INTERNET OF THINGS n AUGUST 2014 READY?
HOME IS YOUR EDITOR’S DESK
SEVEN IOT RISKS SECURITY YOU MUST CONSIDER
IS YOUR SECURITY PROGRAM PROGRAM READY FOR THE INTERNET THE INTERNET OF THINGS is more than just cars, clocks and OF THINGS? coffeemakers. It’s about an entirely new frontier of net- READY FOR worked devices that affect enterprise security both di- WHO’S IN CHARGE HERE? SECURING THE rectly and indirectly. One of the recent discussion points INTERNET OF THINGS THE INTERNET has been around whether or not the average corporate network can even handle the Internet of Things’ band- OF THINGS? width requirements. It’s certainly something to be think- ing about, but it seems moot when you consider the It’s time to start prepping potential for the inevitable security headaches. a security policy for the coming Enterprises have enough trouble keeping up with the IoT era, to avoid the free for all security of their traditional network systems. Many peo- ple struggle with knowing where their systems, and es- we saw with the bring-your-own pecially their sensitive data, are located. Others have no movement. clear picture of their current security posture or what’s taking place on the network at any given moment. No doubt, the largest group consists of IT and security staff who struggle to get—and keep—management and their general user base on board with security. With the In- ternet of Things, these issues become even more of a By Kevin Beaver challenge. I suspect we’re going to experience a side of se- curity we never anticipated.
9 INFORMATION SECURITY INSIDER EDITION / SECURING THE INTERNET OF THINGS n AUGUST 2014 READY?
Since the beginning of my career in information secu- policies where necessary. HOME rity, I’ve worked by the mantra that if a system has an IP n EDITOR’S DESK address or a URL and it touches the business network or Will new security policies be required? You might find processes sensitive information in any way, then it’s fair that new (or updated) policies around network segmen- SEVEN IOT RISKS game for attack. It should also be fair game to fall within tation and access control are needed to ensure these de- YOU MUST CONSIDER the scope of existing security management programs. vices are kept in their place—similar to how you might IS YOUR SECURITY Similar to mobile devices, instant messaging, social me- handle wireless access points and guest Internet connec- PROGRAM READY FOR THE INTERNET dia usage and the like, we’re not going to stop the Inter- tions. Be sure to consider the Internet of Things impli- OF THINGS? net of Things from growing. It has to be front and center cations for business partners, suppliers and customers in your security discussions. that network connections into your environment as well. WHO’S IN CHARGE HERE? SECURING THE What additional risks will each of your employees’ Inter- INTERNET OF THINGS PLAYING BY THE RULES net of Things devices at home introduce to your network One of the core principles of minimizing information via VPN connections? risks is to lay out a set of rules to play by in the form of well-written security policies. If proper expectations are n Who’s going to ensure that your policies are both not set, then it’s a free for all, not unlike what we see with enforceable and actually enforced to minimize your BYOD. The good news is that securing—or protecting Internet-of-Things risks? Management and users may against—the Internet of Things is not going to be much buy into policies around core business applications, but different from securing any other aspect of the network. how are they going to perceive your desire to secure seem- It’s about perspective and priorities. Here are some secu- ingly harmless devices with minimal business purpose? rity policy-centric items you must consider with Internet You need to be able to quantify the risk by performing a of Things in the enterprise: risk analysis and determining the likelihood and impact when threats exploit Internet of Things vulnerabilities. A n What role will your existing security policies play? good BYOD security program now cannot only serve as You won’t have to start from scratch. Your existing poli- a good indication of things to come but also the ground- cies around passwords, patching, system monitoring will work for your Internet of Things policy enforcement. likely suffice. The important thing is to ensure that the Internet of Things falls within the scope of each of these n Who’s going to be monitoring the Internet of Things?
10 INFORMATION SECURITY INSIDER EDITION / SECURING THE INTERNET OF THINGS n AUGUST 2014 READY?
You could ultimately be looking at double the number and small. You’re going to have to up your security game HOME of hosts (or more) on your network at some point in the by doing more of it—better, faster, and cheaper than
EDITOR’S DESK near future. Will you need additional staff to ensure ev- ever before. Now’s the time to be thinking about keep- erything is kept in check? Will your managed security ser- ing the Internet of Things in check on your network and SEVEN IOT RISKS vices provider be able to accommodate these systems? any other networks that are associated with your busi- YOU MUST CONSIDER ness. Get the right people on board and at least start with IS YOUR SECURITY I don’t typically buy into the marketing hype associ- a policy update that outlines what you’re doing and not PROGRAM READY FOR THE INTERNET ated with emerging areas of IT, such as the cloud and big doing—allowing and not allowing—with all of these con- OF THINGS? data, but there is something to be said about the Internet nected devices. Policies aren’t the magic solution to se- of Things. The term is a bit jargon-ish but the business curity. In fact, they often do more harm than good by WHO’S IN CHARGE HERE? SECURING THE consequences are real. Cisco estimates that the Inter- creating a false sense of security and “compliance.” But INTERNET OF THINGS net of Things will grow to 50 billion devices by 2020. do it anyway—any positive action toward a better, more That represents a significant number of systems that secure Internet of Things will provide many long-term will somehow need your attention. These devices could payoffs for the business as a whole. n open up backdoors into your network. They can facilitate malware propagation. They can end up storing sensitive business information. They can lead to denial-of-service KEVIN BEAVER is an information security consultant, writer, conditions. Is your business prepared? Are you going to professional, speaker, and expert witness with Atlanta-based be able to justify taking time away from the things you’re Principle Logic, LLC. With over 25 years of experience in the currently doing to tend to this new realm of systems in- industry, Kevin specializes in performing independent security vulnerability assessments of network systems as well as Web vading your network? and mobile applications. He has authored/co-authored 11 books Complexity is one of the largest barriers to effective on information security including the best-selling Hacking security, and the Internet of Things is no doubt going to For Dummies. You can reach Kevin through his website www. increase that exponentially for organizations both large principlelogic.com and follow him on Twitter at @kevinbeaver.
11 INFORMATION SECURITY INSIDER EDITION / SECURING THE INTERNET OF THINGS n AUGUST 2014 RESPONSIBILITY
HOME WHO’S IN EDITOR’S DESK
SEVEN IOT RISKS CHARGE HERE? YOU MUST CONSIDER
IS YOUR SECURITY SECURING PROGRAM READY FOR THE INTERNET ADVOCATES SAY THE Internet of Things is a multi-trillion OF THINGS? dollar business opportunity, but it’s also a potential di- THE INTERNET saster for privacy and safety. Before we connect every- WHO’S IN CHARGE HERE? SECURING THE thing around us to the Internet, we need to think about INTERNET OF THINGS OF THINGS security. It’s a big task, securing the Internet of Things security is difficult to discuss be- cause the concept is so immense. When you make “every- Internet of Things, and a key thing” IP-connected, how do you lock all of that down? step is to figure out who exactly Cars, cows, oil rigs, medical devices, refrigerators. There is responsible. is no perimeter that can encircle all of that. “The challenge we have is that each of those areas is really pretty separate,” said Bret Hartman. “The technolo- gies working in those areas tend to focus specifically on their own area. It’s not going to be one-size-fits-all for [Internet of Things] security.” Companies and individuals will also find that they lose a lot of control over where their data is and where it is go- ing. When consumerization struck the enterprise, power and control over data and connectivity shifted from IT to By Shamus McGillicuddy the user. IT is still adapting to that shock. Now another shift is coming.
12 INFORMATION SECURITY INSIDER EDITION / SECURING THE INTERNET OF THINGS n AUGUST 2014 RESPONSIBILITY
“Power is shifting from the user to machines,” said a cow’s health might go to another “thing” on a farm that HOME Dipto Chakravarty, executive vice president of engineer- crunches that data and spits out new data. Then that data
EDITOR’S DESK ing and products at ThreatTrack Security Inc. “And when goes elsewhere, all across IP networks. it shifts to machines, connectivity is the inverse to secu- “These are typically paths that are poorly protected. SEVEN IOT RISKS rity. The more connectivity you have, the less security The bigger problem is not so much the endpoints, but the YOU MUST CONSIDER you have—unless you can layer it in properly.” fact that the data paths themselves create a new attack IS YOUR SECURITY platform.” PROGRAM READY FOR THE INTERNET INTERNET OF THINGS SECURITY: IT’S NOT EASY “What if your microwave was taken over and it kept OF THINGS? Locking down the so-called “things” on the Internet of telling your fridge to shut down?” said Chakravarty of Things is a daunting task because security takes comput- ThreatTrack. “You wouldn’t know there was something WHO’S IN CHARGE HERE? SECURING THE ing power, and many things have only the bare minimum, wrong with your microwave. The user is slowly stepping INTERNET OF THINGS if that. out of the equation. We may be carrying a phone, but it’s “Usually these endpoint devices aren’t very big. They not just a phone. It’s a transmitter and receiver that can don’t have a lot of compute power to do much, especially propagate information exactly like a router would on a around security,” Hartman said. “There are IP-address- network.” able light bulbs. There’s not a whole lot of processing power left in there for security.” INTERNET OF THINGS SECURITY: Furthermore, wherever you have an IP-connected HOW DO YOU DO IT? thing, you also have an operating system. Operating sys- Some engineers say network monitoring is the way to tems need to be patched. When they aren’t, hackers find solve the problem. vulnerabilities. Botnets will find millions of new recruits “It’s much more about using the network fabric to in the form of zombie appliances and other “things.” watch traffic across all these devices and limit [that traf- These things are all communicating with each other, fic] where there appears to be some abuse or potential at- too. And they influence each other. tack happening,” Cisco’s Hartman said. “In an industrial “How much is going to go wrong if someone hacks a control system, you might change [a robot’s] settings with cow’s monitoring system?” asked Eric Hanselman, chief a management console, but you wouldn’t expect two ro- analyst for New York-based 451 Research. “It’s all just botic arms to reprogram each other. So you can look at passive data collection. It’s not a big deal.” But data about that kind of traffic and say this shouldn’t be happening.
13 INFORMATION SECURITY INSIDER EDITION / SECURING THE INTERNET OF THINGS n AUGUST 2014 RESPONSIBILITY
You can control and limit the traffic that goes among to extract data. Those legacy systems will pose a higher HOME these [robots].” risk than something engineered from the ground up to be
EDITOR’S DESK Internet of Things security will also require encryp- an IP endpoint. tion key management infrastructure and identity man- “You need to add intelligence to be able to deal with SEVEN IOT RISKS agement systems that can scale into the billions, said Earl the level of risk [presented] by these older types of data YOU MUST CONSIDER Perkins, research vice president for Stamford, Connecti- sources,” 451 Research’s Hanselman said. IS YOUR SECURITY cut-based Gartner Inc. PROGRAM READY FOR THE INTERNET “We’ll have to figure out a way to protect data in an INTERNET OF THINGS SECURITY: OF THINGS? environment like this, whether it’s on [an] Internet of WHO OWNS THE PROBLEM? Things ‘thing’ or in an intermediate location,” he said. Clearly, there is a lot of work to be done in securing the WHO’S IN CHARGE HERE? SECURING THE “We’ll have to revamp the way we look at encryption key Internet of Things. Before you even tackle the problem, INTERNET OF THINGS management and identity management. We’ll have to you need to figure out who is responsible for it. Billions of combine capabilities from identity management and as- new devices will start collecting and sharing data, and a set management, because [people] are going to become wide assortment of companies will be enabling that. Who [their own] personal cloud networks. The Internet of owns the problem? Things that you carry on your person and that you have at home are like a cloud of devices that surround you. You have an identity and the things have identity, but how do SHAMUS MCGILLICUDDY is the director of news and you keep [up] with the relationships between you and the features for TechTarget Networking Media. He writes about identity of those things?” networking, security, data centers, network management and other topics for SearchNetworking and manages overall news The Internet of Things will also require a sophisti- coverage for TechTarget’s other networking sites, including cated approach to risk management. Not all of the devices SearchUnifiedCommunications, SearchEnterpriseWAN and on the Internet of Things will be new. Organizations are SearchCloudProvider. He holds a master’s degree in journalism strapping IP connections onto legacy devices and systems from Boston University.
14 INFORMATION SECURITY INSIDER EDITION / SECURING THE INTERNET OF THINGS n AUGUST 2014 TechTarget Security Media Group
EDITORIAL DIRECTOR Robert Richardson EDITORIAL BOARD HOME EXECUTIVE EDITOR Eric Parizo Phil Agcaoili, Cox Communications Seth Bromberger, Energy Sector Consortium EDITOR’S DESK FEATURES EDITOR Kathleen Richards Mike Chapple, Notre Dame EXECUTIVE MANAGING EDITOR Kara Gattine SEVEN IOT RISKS Brian Engle, Health and Human Services Commission, Texas YOU MUST CONSIDER NEWS WRITER Brandan Blevins Mike Hamilton, MK Hamilton and Associates ASSOCIATE MANAGING EDITOR Brenda L. Horrigan IS YOUR SECURITY Chris Ipsen, State of Nevada PROGRAM READY DIRECTOR OF ONLINE DESIGN Linda Koury Nick Lewis, Saint Louis University FOR THE INTERNET OF THINGS? COLUMNISTS Kevin Beaver, Ajay Kumar, Shamus McGillicuddy Rich Mogull, Securosis
CONTRIBUTING EDITORS Kevin Beaver, Crystal Bedell, Mike Chap- Tony Spinelli, Equifax WHO’S IN CHARGE HERE? ple, Michele Chubirka, Michael Cobb, Scott Crawford, Peter SECURING THE Matthew Todd, Financial Engines Giannoulis, Francoise Gilbert, Joseph Granneman, Ernest N. INTERNET OF THINGS MacDonnell Ulsch, ZeroPoint Risk Research Hayden, David Jacobs, Nick Lewis, Kevin McDonald, Sandra Kay Miller, Ed Moyle, Lisa Phifer, Ben Rothke, Mike Rothman,
Karen Scarfone, Dave Shackleford, Joel Snyder, Steven Weil, SENIOR VICE PRESIDENT/GROUP PUBLISHER Doug Olender Ravila Helen White, Lenny Zeltser [email protected].
© 2014 TechTarget Inc. No part of this publication may be transmitted or reproduced in any form or byany means without written TechTarget permission from the publisher. TechTarget reprints are available through The YGS Group. 275 Grove Street, About TechTarget: TechTarget publishes media for information technology professionals. More than 100 focused websites enable Newton, MA 02466 quick access to a deep store of news, advice and analysis about the technologies, products and processes crucial to your job. Our www.techtarget.com live and virtual events give you direct access to independent expert commentary and advice. At IT Knowledge Exchange, our social community, you can get advice and share solutions with peers and experts.
COVER IMAGE AND PAGE 3: DRAFTER123/ISTOCK
15 INFORMATION SECURITY INSIDER EDITION / SECURING THE INTERNET OF THINGS n AUGUST 2014