Security in the Age of “The Internet of Things”
The nature of the Internet is changing before our eyes. The growth is relentless and the rate of change, even for our business, is incredible. It’s not just a way to hook computers together anymore; it’s become a way to enable new and different kinds of efficiencies and even lifestyles. We are not yet to the point of the refrigerator anticipating our dietary needs, but every day brings us closer. This leads us to look into the Internet of Things.
What we are seeing is the dawn of a new era: the Internet of things (IoT). It is estimated that one hundred “things” are hooked to the Internet every second! Need to see what’s going on at the house? No problem: whip out your smartphone and check your webcam app. Need to turn the lights on before you get home? No problem, the lights are hooked to the Internet as well.
However, all of this connectivity and togetherness does come with its own rapidly evolving set of security challenges. On a personal level, all of your devices are collecting information about what you do and where you go. More and more of your “stuff” is networked. On an enterprise level, so many devices now come with an embedded computer that it is hard to keep track of them all.
Think about it: an embedded computer – fully functional – costs less than $50 and it offers the manufacturer a world of opportunity and automation. It also offers criminals a world of opportunity and such is the nature of the Internet of Things. It will continue to be a trade off between convenience / functionality and security. Many of these systems host a webserver in order to support a GUI. Think about how often you run across a WAP or other gear that is using the default password. Now imagine that it isn’t a WAP but a full-fledged computer. Add to the mix the fact that nobody in IT even knows that system is there.
The best remedy for this security challenge is for the designers of these products to bake the security right into the device, and not approach it from a “bolt on” perspective. However, while that gets going the best thing you can do is to approach the security of these systems with a high degree of suspicion. Think about what the attack surface for the device is and what it could do if it were compromised. Is it a full-fledged computer capable of being compromised and hosting attacks against your network? If so you might seriously consider putting it on its own network.
An additional concern is the data that smart and connected devices generate. Consider what could be done with that information if it is going to leave your network. Could someone compromise a networked device to find out information about your company or your employees? A compromised network camera could easily be used to facilitate a physical intrusion.
Are you at risk?
As a final thought, it is very important to note that this is not an abstract threat limited to the “Enterprise” Space. Small businesses are especially at risk, as they don’t have the security resources of larger businesses. Let’s face it; a five person professional services firm surely has enough money for someone to be interested in their bank account. We have seen individually-crafted and targeted phishing attacks on small businesses in our area so we know people are looking. The problem is that those same businesses are not going to know what to do about it but that networked web cam sure is cool…..