Post by Nick Palmer, Sales Engineer
The Internet of Things sounds fairly innocuous. It almost sounds like something from a kid’s fairy tale, but it’s going to make your life as a security professional harder. Allow me to explain why.
When I first heard the term ‘Internet of Things’ completely out of context over ten years ago, I admit to being a little puzzled. I wondered what ‘things’ the name referred to, and which of these ‘things’ could confer material benefit by being connected to the World Wide Web. Of course, the internet was a different place in 2003, and the notion of connecting devices for appliance diagnostics and servicing, road monitoring, waste collection and the myriad of other applications was fledgling at best.
From a data management perspective, it is rapidly becoming clear how the Internet of Things (IoT) will affect every facet of Information Technology, but particularly IT Security. To give an idea of the sense of scale involved, if a kilobyte is considered the size of a human body, then a Zettabye is the size of Continental Europe (which for our American readers, is about a third the size of the US). The Internet saw a Zettabyte of traffic in 2015.
I don’t propose to explore the size and scale of the Internet of Things other than to highlight the point that the proliferation of data and ingress points to the Internet causes the IT security industry a serious problem. Not only does it create additional noise that must be sifted to separate the threatening from the benign, but it also introduces a multitude of new vectors. Even in a domestic setting, the average Samsung washing machine leaving the production line in 2016 is internet connected, with four sensors that can report to smartphone apps. But what about an entire thermostat fabric in an office block? Even the average CCTV infrastructure securing a medium-sized enterprise will have hundreds more such sensors. Similar attack points include hand held logistics scanners, inventory control systems, traffic flow monitors, environmental controls. All of these are potential attack surfaces, and TrapX’s discovery of TWO zero-day IoT attacks with Zombie Zero and MedJack clearly illustrates the associated dangers.
Let’s assume that an organization is selling IoT-enabled equipment into large corporations. These are capital purchases, with service contracts that just about cover the cost of providing break-fix. How can providers of these types of equipment possibly keep this equipment secure against attack? How long can they reasonably be expected to supply updates to keep these devices hardened?
Given that core IT security work is about protecting traditional IT assets, what can be done to provide extra security to the vast network of connected devices that may or may not be receiving the requisite security updates? Assuming that these pieces of equipment obsolesce at a slower rate than the discovery of their vulnerabilities, then the security teams are in a world of pain. Because, once it’s stopped becoming profitable for the manufacturers to issue security patches, they’ll stop doing it. Effective segmentation of the network is clearly a first priority, but given that once an attacker establishes a foothold on a compromised host they will seek to quickly move laterally, is it enough to leave a sea of potentially insecure devices for them to navigate around unhindered?
My view is that a Deception-based solution is the best option. One simply cannot certify as secure every device connected to an increasingly open network. Deploy highly interactive but secure emulations of these devices and the associated gateways, alongside the real ones, and wait for high-fidelity alerts when attackers breach these units and try to move laterally into the infrastructure to higher value targets. This means the enlargement of devices requiring support from security teams need not be so onerous. The teams do not need to become experts in the multiplicity of attack surfaces your organization is now exposing. The first attempt an attacker makes to move from the network will be captured. The Deception Solution reveals the compromised endpoint, methods and motives, and any executable malware he tries to deposit will be sandboxed and subjected to rigorous analysis.
Remember, the shadow network of IT assets created at scale by a good Deception solution should never be touched by anything. If it is, you have a conviction and you should take the Indicators of Compromise (IOCs), perform Incident Response, remediation and iterative corrective measures in the wider ecosystem.
This is how you scale your security team and simultaneously embrace the Internet of Things, without exposing your organization to unacceptable levels of risk from the huge array of new vulnerabilities that it brings.