Related Topics

Watchguard Technologies
Cisco
AVG
Kaspersky Labs.
WageSOLUTION
IBM Watson

Content reproduction policy

All content on this site can be freely reproduced as far as the author and source of the original article are mentioned. If you are going to reproduce a content by me re-posted, please be sure to contact the author and reference to his/her reproduction policy, or contact him/her for authorization to reproduce his/her content. Opinions expressed in the Blog are personal of the author and may not reflect the opinions of third parties mentioned in the blog itself.

Infosec IoT challenges for 2017

Last year we got a pretty massive example of how scary unsecure the IoT is.


Scritto da , pubblicato il


Infosec IoT challenges for 2017

So, last year we got the first massive results of how insecure the Internet of Things (or IoT) world is: the Mirai botnet gave us an example of it for all to see, and it doesn't seem like it's going to get any better soon. Also, to make an example the CES 2017 in Las Vegas running these very days, is promoting a massive amount of IoT "news" to the general public, so things could (possibly) get even worse, when not only our cameras will start performing massive DDoS attacks, but also the lawnmowers will start misbehaving.

So what's the deal with IoT and Infosec? Will security experts keep complaining about how insecure products are and how they should fix it or, rather, how consumers shall configure their firewalls at home? Whether we like it or not, consumer products must get as low price as they can so they can be sold, meaning they have to roll out “effective” software and hardware with as low effort as possible. We can’t really hope for a massive “security culture” spreading.

For those willing to complain, please be my guest. Although I feel that as the longest way to get nothing done. Except headaches.

Rather we should focus on something else, moving our attention to the companies that install or supply IoT stuff to give some further support to those who, like all of us, will start approaching the IoT world and gain the benefits it will propose.

From my perspective, there is a lot we can do by focusing our attention to where we can bring security. Given any IoT device within a home environment (please allow me to focus on this specific issue within this article) we can operate here:

  • The home network’s border, i.e. the home router/firewall
  • At the ISP level, with MSSP solutions
  • At the CSP (Cloud Service Provider) with new cloud based services (perhaps more secure)

At home

I see a future not so distant where a home should be equipped with a security appliance that gives two different security models. The first being protecting home devices like computers, tablets, smartphones and smart TVs from inappropriate or dangerous content. And with this kind of protection I also mean protecting children from content they should not be able to access, neither accidentally nor intentionally. Pornography, Darkweb, Malware, Ransomware, the Internet is a massive amount of things that could harm, directly or indirectly, adults as well as minors. Therefore, I would see this this kind of protection from what is accessible and visibly by people.

The second model is to protect every other device which traffic is not visible, or IoT. Security cameras, fridges, and any future IoT device that will start showing up in our homes. This kind of devices shall be isolated and protected at the time of installation so they won’t produce any harm when a breach is found.

Why

Most failures I could experience directly were driven because who installed the device did not have any idea of what it could lead to. Hence the issue is not with the device(s) alone, but who does the job. And that’s why I can see homes with a firewall wall-mounted and managed by a company that, when installing it, informs you which thing goes where. Whereas there is a security by design implemented things might get easier, and honestly, I don’t see it so unachievable.

ISP Level

Want it or not, ISPs are always in the middle of the fight, and IoT devices wants to have an Internet connection… guess why. So why ISPs don’t just consider the idea of securing their networks? Perhaps because if they are too big it would be too expensive to handle. So they might consider asking support for local MSSPs (see below) for support in handling this kind of issue. Probably the solution could be cost effective and more reliable.

CSP Level

More and more devices are not even needing of inbound connections, which forced them to have their services exposed on the Internet, but they use an outbound connection to connect to the Cloud Service Provider. Whereas these devices do not provide such kind of feature, a service provider should consider building such feature. Say, having the firewall wall-mounted at home, they could just build a VPN tunnel to their infrastructure and supply secured access to home services. And this kind of service doesn’t require a specific infrastructure to be built, Azure or AWS are already up for the challenge.

So, saying the IoT will fail its security is as much as saying that we need to solve the pollution problem, but nothing will be accomplished unless we start acting. And for “we” I mean the System Integrators and Security Firms that have security in mind and see the opportunity to make a change.

Conclusion

We already have security solutions that can give us the right level of security at an accessible cost, and commodities like house automation brought by IoT don’t come for free. Using this technology in a better way is only our choice.