10 IoT Security Best Practices For IT Pros - InformationWeek
IoT
IoT
Data Management // IoT
News
8/9/2016
07:06 AM
Thomas Claburn
Thomas Claburn
Slideshows
Connect Directly
Google+
LinkedIn
Twitter
RSS
E-Mail
50%
50%
RELATED EVENTS
[Ransomware] Taking the Mystery out of Ransomware
Dec 07, 2016
Lost data. Systems locked down. Whole companies coming to a grinding halt. When it comes to ransom ...Read More>>

10 IoT Security Best Practices For IT Pros

IT professionals have to treat internet of things (IoT) vulnerabilities as they would vulnerabilities in databases or web applications. Any flaw can bring unwelcome attention, for those making affected products and those using them. Any flaw may prove useful to compromise other systems on the network. When everything is connected, security is only as strong as the weakest node on the network.
Previous
1 of 11
Next

(Image: Jefferrb via Pixabay)

(Image: Jefferrb via Pixabay)

The Internet Crime Complaint Center (IC3), a partnership between the FBI, the National White Collar Crime Center, and the Bureau of Justice Assistance, issued a warning in September 2015 about the risks posed by internet of things (IoT) devices.

"As more businesses and homeowners use web-connected devices to enhance company efficiency or lifestyle conveniences, their connection to the Internet also increases the target space for malicious cyber actors," the IC3 alert said. "The FBI is warning companies and the general public to be aware of IoT vulnerabilities cybercriminals could exploit, and offers some tips on mitigating those cyber threats."

From a statistical standpoint, the warning may seem premature, because IoT devices haven't been implicated in major breaches. As Verizon noted in its 2016 Data Breach Investigations Report (DBIR):

For those looking for proclamations about this being the year that mobile attacks bring us to our knees or that the Internet of Things (IoT) is coming to kill us all, you will be disappointed. We still do not have significant real-world data on these technologies as the vector of attack on organizations.

We do have real-world proofs-of-concept. Cyber-security researchers Charlie Miller and Chris Valasek last year remotely hacked a moving Jeep Cherokee and sent it into ditch. The pair have more recently demonstrated hijacking a moving Jeep is still possible, though this time they were inside the vehicle.

Also last year, security researcher Maxim Rupp identified two vulnerabilities in Honeywell's Midas gas detector, a device used in semiconductor processing and industrial manufacturing. Researchers have identified many other holes in IoT security.

[Check out these 10 tips for creating successful IoT projects.]

The potential impact of these flaws may prompt fears. The idea that a hacker might cause you to crash your car is frightening. There's not much money in pursuing that sort of exploitation, and hackers tend to be motivated by the desire for financial gain. According to Verizon's 2016 DBIR, 89% of breaches had a financial or espionage motive.

Yet, those working in information technology have to treat IoT vulnerabilities as they would vulnerabilities in databases or web applications. Any flaw can bring unwelcome attention for those making affected products and those using them. Any flaw may prove useful to compromise other systems on the network.

When everything is connected, security is only as strong as the weakest node on the network. A compromised home router, for example, could betray credentials necessary to penetrate workplace systems.

Pen Test Partners, a company offering penetration testing and security services, offers best practices for IoT device-makers, app developers, and IoT supply chain partners to consider. So do Microsoft and the Federal Trade Commission. whiteCryption has some recommendations too.

Anyone dealing with IoT software or hardware would also do well to review the OWASP Top 10 IoT Vulnerabilities.

What follow are 10 tips IT professionals should consider when designing and implementing internet-connected devices.

Thomas Claburn has been writing about business and technology since 1996, for publications such as New Architect, PC Computing, InformationWeek, Salon, Wired, and Ziff Davis Smart Business. Before that, he worked in film and television, having earned a not particularly useful ... View Full Bio

Previous
1 of 11
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
SaneIT
50%
50%
SaneIT,
User Rank: Ninja
8/11/2016 | 8:18:27 AM
Re: IoT Security
I don't doubt that a garage doing this might get caught because as you mention they would probably get sloppy, but let's think about VW and their clean Diesel cover up.  That lasted for years and we're still finding out about vehicles that were affected.  They fudged numbers to sell cars what is stopping them from fudging systems to give dealerships more service dollars?  Safety may be what gets our attention but it shouldn't be the only reason we care about these systems being secured.  
tjgkg
50%
50%
tjgkg,
User Rank: Ninja
8/10/2016 | 9:40:59 AM
Re: IoT Security
Everything that you mention is really scary. Although i would think that the public might wise up to that garage you mention. Criminals get greedy and sloppy. Eventually a pattern will emerge and they would get caught. The only good thing that would come out of that is to "harden" the on-board systems to prevent this from happening. Although I am not sure how you would deal with a worm issue unless there were regular downloads and system checks over the air from Jeep.
SaneIT
50%
50%
SaneIT,
User Rank: Ninja
8/10/2016 | 9:29:23 AM
Re: IoT Security
Imagine a less than ethical garage attacking Jeeps as they drive by turning on check engine lights, disabling parts of the entertainment system or changing the braking behavior via the ABS controls in the hopes that they'll pull in for service that will be no more than putting the systems back to the factory settings.  Or imagine a worm generated and every 2016 Jeep's brakes fail at 6PM on a Thursday.
tjgkg
50%
50%
tjgkg,
User Rank: Ninja
8/9/2016 | 11:15:35 AM
Re: IoT Security
This is incredible. Imagine having your car taken over while you are driving your family somewhere. Or a train, bus or plane. I'm glad i do not have any of my appliances on the internet at this point.

Watching old sitcoms or war movies, it sort of makes you nostalgic for the days when nobody could hack your Jeep and you had to go to a teller to get money instead of a machine.  Or how difficult it was to tap your phone.
SaneIT
50%
50%
SaneIT,
User Rank: Ninja
8/9/2016 | 8:22:20 AM
IoT Security
I think that this is going to be a point of entry for malware, worms and DDoS in the not too distant future.  The advice to choose your hardware wisely is huge but sadly I doubt that we'll ever really know all of the vulnerabilities of devices that are placed inside our walls.  The first malware for smart thermostats has been introduced and I'm sure not many people thought that one day they may be held hostage on the hottest day of the year as hackers demand payment before they can turn their air conditioner on.  I've been seeing warnings since the very start of IoT talks, have been on the forefront of warning people about the controls that are vulnerable in many modern vehicles and I continue to keep my eyes open for the next good idea where security doesn't just take a back seat, it isn't even on the bus.  Most of these systems that we're seeing compromised ignore almost every security recommendation ever given to any project.  They assume that no one will think to try accessing it but they are installed as part of a larger system that tinkerers love to play in.  Jeep's problems with securing various parts of their control systems is a glaring demonstration of how walls should be kept between systems.  If I can disable your brakes through the system that controls your DVD player we have a real problem.
How Enterprises Are Attacking the IT Security Enterprise
How Enterprises Are Attacking the IT Security Enterprise
To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Register for InformationWeek Newsletters
White Papers
Current Issue
Top IT Trends to Watch in Financial Services
IT pros at banks, investment houses, insurance companies, and other financial services organizations are focused on a range of issues, from peer-to-peer lending to cybersecurity to performance, agility, and compliance. It all matters.
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on InformationWeek.com for the week of November 6, 2016. We'll be talking with the InformationWeek.com editors and correspondents who brought you the top stories of the week to get the "story behind the story."
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll