enterprisesecuritymag

Understanding the Risks of IoT

By David Barker, Director of Digital Product Security at Stanley Black & Decker

David Barker, Director of Digital Product Security at Stanley Black & Decker

With the introduction of every technology wave comes a new attack surface that potentially exposes company data and certainly increases risk.Mobile devices were one of those waves and through mobile device management software, some level of control over risks was obtained.  Next came the cloud revolution and the industry is just now starting to have reasonably effective tools to help control that risk.  Now we find ourselves on a new wave, loosely called the Internet of Things (IoT) that brings a unique set of risks both inside and outside our corporate perimeters.

To put this new risk into perspective, consider that with mobile devices, we really only had to figure out how to manage two unique platforms – Apple’s iOS and Google’s Android. That took years to get right and some would say it still needs work.  Similarly, with cloud, only a few primary players have remained viable and most of them are now offering their own tools to help secure our environments, in addition to a plethora of options from mainstream security vendors.  It will take some time for the efficacy of these solutions to be proven out, but the industry has responded to the risks and help is on the way.

"Understanding the risks of IoT devices is the first step toward developing a viable IoT strategy"

In stark contrast to those two examples, IoT has thousands of different things running on dozens of platforms with capabilities that are as unique as snowflakes.  These things range from being powered by small Linux-based servers to barely having the processing power to send unencrypted data across a network channel.  Well-meaning users are bringing useful things into our corporate perimeter and into their homes to help solve problems.  Thethings get connected to the network and thus to the internet and data immediately begins to flow from and to them. 

While the data stored and processed by these things is usually fairly benign, they become gateways to the networks they are connected to, and a poorly designed, patched, monitored, and managed gateway poses a threat to that network.  Our secure networks may now have hundreds of pin pricks in them, allowing an adversary unprecedented access inside our perimeters.  But there are some actions you can take to help reduce the risk.

1. Discover the Things – You may already have tools that will allow you to discover and obtain some level of information about the things connected to your network.  Discovery will let you know the extent of the potential risks that exist in your network today.  You can’t begin to control a thing until you know that it exists.

2. Embrace the Things – Like shadow IT, things are here to stay and the best way to understand the risks is to create a method that users can follow to connect them.  In the absence of guidance, people will do what they believe is necessary to meet their business requirements.  Providing an approach they can follow to legitimize their things will allow for visibility into the risks associated with them and knowledge is power.

3. Separate the Things – Your existing network may have the capability to cordon off things into their own logically separated space.  If that is the case, the investment in setting up a virtual network for things should be a relatively easy lift.  This will create separation between things and your corporate “crown jewel” assets.  If the things can’t be used to try to delve deeper into your network space, then you’ve mitigated part of the risk associated with them.  This also allows you to monitor what they do, what external resources they need access to, and how they generally behave.  You can also optionally restrict outbound connections to only trusted resources that the things need to access.

4. Learn About the Things–As you would with any supplier of IT resources, you should evaluate the security posture of the vendors who provide the things and the services that make them worthwhile. Ensure the vendor has done some level of diligence in securing your devices and data.  Easy things to looks for include ISO 27001 and SOC 2.  Be wary of the vendor who says “Amazon has many certifications” because clouds like a Amazon’s AWS use a shared responsibility model in which they provide coverage up to a point and the consumer of their services needs to provide the rest.

5. Weigh the Risk of the Things – There is likely some value the business believes they will obtain by using the thing the deployed.  Now that you’ve wrapped some control around it and a bit about the vendor, you’re in a position to compare the value provided against the risk it presents and make an educated decision to either accept the risk and move forward or offer an alternative solution or control set to help mitigate risk.

Understanding the risks of IoT devices is the first step toward developing a viable IoT strategy.  Strategy is not one-size-fits-all here.  Each thing will present unique risks and each organization will have its own priorities.  IoT will not go away if you ignore it – the things are here to stay.

Read Also

A High Risk Data Protection Strategy

A High Risk Data Protection Strategy

Randy Marchany, Virginia Tech CISO
The Importance of Quantifying Risk

The Importance of Quantifying Risk

Jamie Samans, Director, Information Systems Security at American Institutes for Research
When is The Right Time to Evaluate My Information Security Risk Strategy?

When is The Right Time to Evaluate My Information Security Risk Strategy?

Gary Sheehan, Director - Information Security at Elon University
A New Framework in Risk Management

A New Framework in Risk Management

Kevin Richards, Managing Director, Global Head, Cyber Risk Consulting, Marsh

Weekly Brief