Computer chips are everywhere. Most devices today do not connect to the Internet, but they could and probably will be connected soon. When connected to the Internet, they become members of the Internet of Things.
The Internet of Things (IoT) is here. Is your IT group ready? Have they explored all the security vulnerabilities that could and do exist? IoT endpoints will open a huge range of security vulnerabilities for themselves as well as existing devices and data that will become compromised because of the interconnection of IoT devices and software with personal and financial data of individuals.
The HP IoT Report
This is the conclusion of "Internet of Things Research Report" from HP. HP Security Research analyzed 10 of the most popular devices in common IoT categories and revealed a high average number of vulnerabilities in each device, as many as 25. The vulnerabilities ranged from Heartbleed to Denial of Service, weak passwords and cross-site scripting.
The devices selected for analysis:
• Were from manufacturers of TVs, webcams, home thermostats, remote power outlets, sprinkler controllers, hubs for controlling multiple devices, door locks, home alarms, scales, and garage door openers
• Included a majority of devices that accessed some form of cloud service
• Also included mobile applications for accessing or controlling devices remotely
The HP Report discovered several problems:
• Weak authentication and authorization procedures; 80% had weak passwords
• No encryption of the data as it is transported via the Internet for 70% of the devices
• Six out of ten website interfaces were not secure, vulnerable to persistent attacks, and had weak credentials
• The firmware and software implemented were not secure
The Open Web Application Security Project
No one person, enterprise, or organization can produce the effort to prevent, mitigate, and resolve security issues for IoT. Even if the community at large can solve the problems, new security problems surface every day. It takes a worldwide group effort of interested individuals and organizations to continually pursue security solutions.
The Open Web Application Security Project (OWASP) is a worldwide not-for-profit charitable organization. It is focused on improving the security of software. Their mission is to make software security visible, so that individuals and organizations can make informed decisions about software security risks.
OWASP does not endorse or recommend commercial products or services; it is vendor neutral. OWASP is a global group of 42,000 volunteers, but anyone can participate in OWASP activities. All the OWASP materials are available under a free and open software license.Its primary focus is privacy concerns, and it has produced a top 10 security issues list.
The OWASP encourages individuals and organizations to monitor their efforts. OWASP also wants those not presently involved to establish their own projects that can contribute to security protection. If you are an application developer, software architect, or information security author, you should consider creating or joining a security project. Think of a project as an investigation of a security issue leading to its resolution.
Collect IoT Data Responsibly
One of the attractive parts of IoT is collecting vast amounts of data that can be analyzed in many ways. However, some of the collected data may not be useful or appropriate to collect. Consider what you will be doing with the data before you implement a blanket collection - assuming you will discard what you don't need. You know that once collected, it will be hard to discard the data. Even if the collected data is not used, the data storage systems can still be penetrated if not properly protected.
To minimize privacy concerns, ensure:
• That only critical data for the endpoint is collected and no more
• Encryption is used for both the signaling and data transmission
• That the endpoint and all of its component parts protect personal data
What You Can Do
You cannot stop the development and distribution of security attacks. They will come, again and again. You can develop policies and procedures, implement hardware and software to prevent the problems, and install tools and systems that can monitor in real time to discover problems rapidly. You will need to implement effective responses to the security problems that will reduce the vulnerabilities and block most of the attacks.
Conduct a security review of your endpoints and all related components
Ensure that testing is performed which can include:
• Automated Web interface scanning
• Review the network traffic to look for congestion or traffic blocking problems that could affect real-time operations
• Look at all the physical ports on the endpoint such as the USB to ensure it cannot be used to invade the endpoint
• Review the authorization and authentication procedures
• Investigate the interactions with cloud and mobile applications looking for security weaknesses
Implement security standards that all endpoints must satisfy before going live
Most of the security issues in the HP report are "low hanging fruit" and can be easily resolved. Look for and implement as many security controls as possible. These controls may be a burden to comply with, but the alternative of poor security is not acceptable.
Throughout the endpoint lifecycle ensure security is always considered
Ensuring security is not a one-time effort. Establish security and review processes so that security is integral to the endpoint, not an add-on. Do not delay installing security patches and updates. Make this a high priority effort every day.
Other blogs relating to IoT include IoT: Benefit or Headache for IT?, Social Physics and IoT, The Internet of Things Begets the Industrial Internet, and The Internet of Things Will Change Your Business Model.
