We hosted Tamara McCleary, CEO of Thulium, a social media-marketing agency on a recent Google Hangout. Also present were Nicole Banks, community manager and Nabeel Saeed, security evangelist from Imperva Incapsula. Together they discussed the state of IoT and how security issues may affect us all in the future.
McCleary says the Internet of Things (IoT) is a game changer, but it’s emerging at a time when threats against our data and systems have never been greater. Recently Botnet of Things (BoTs) have been used in large-scale attacks. We asked Christopher Elisan, principal malware scientist at RSA, what to expect.
BoTs are a compromised set of IoTs that act in unison based on a centralized command to conduct DDoS attacks. BoTs take advantage of the data they send to a network resource. For example, an appliance that sends out a daily data status to its manufacturer’s network resource can be compromised to flood that network resource by sending status updates every minute instead of every day. Appliances that can browse the Internet are also vulnerable. There are refrigerators that have a built-in tablet that gives users the ability to browse the web. If they are compromised to target specific websites, when investigators trace back the source of the DDoS attack they find appliances instead of computer systems.
IoT in 2017
“When it comes to IoT, manufacturers are preparing for an onslaught of product launches and customer engagement,” said McCleary. “And at the same time, the marketplace is going to have more security issues.”
When asked about the state of IoT in the next year McCleary had this to say, “Some analysts expect IoT growth to be higher in the enterprise market space first, at least for the next few years, because businesses are starting to really look into ways to save money and improve productivity.”
IoT security
“Security is one of the reasons why the IoT has not accelerated and proliferated as much as people had expected,” said Nabeel Saeed. “As we all know, with the addition or introduction of every new IoT connection, you have another potential point of failure or another point of compromise.”
There are currently four-to-six billion IoT devices in the marketplace, according to Saeed. “And to say security was an afterthought would be an overstatement.”
The Internet of Things presents huge opportunities in terms of how business is conducted and how we live our lives. But, says Saeed, “We need to be cognizant of the growing security challenges that come with it.”
Tamara McCleary pointed out that there are an average of 13 enterprise security breaches every single day. These breaches result in roughly 10 million records lost per day, or 420,000 every hour. This is the reason why the movement of products to market in the IoT space has been slow.
How Do We Protect Our Appliances (and Ourselves)?
“There are two challenges when it comes to securing IoT devices,” said Saeed. “The first is to make sure data traversing from the internet to the IoT device is not breached. And the second challenge is to make sure our devices are not infiltrated by nefarious code or data.”
A service that is experienced in securing data completely would be the solution. “For both ingress and egress concerns, it’s equally important to have a specialized security solution around your devices,” said Saeed. This solution would secure the central service and protect both the consumer and producer.
On the consumer side, said McCleary, changing the security settings right out of the box is important. “If you leave your device on a factory setting for password, you’re going to set yourself up for the potential of being hacked.”
When asked how to secure a network that must connect to devices with little to no security capabilities, Christopher Elisan said, “Securing the IoT means securing network communications between these devices and their intended recipient. There must be a solution that monitors, verifies and authenticates any data going into the IoT. This ensures that any data or command is coming from a trusted source such as the device’s manufacturer. The same principle applies to data going out to the intended recipient. The data should be in the right format with verified and authenticated content.”
DDoS attacks and your toaster
A distributed denial of service (DDoS) attack is a malicious attempt by a threat actor to knock down an internet-connected resource. If you are connected to the IoT through your toaster, thermostat, TV and garage door opener, a DDoS attack can cause havoc in your household.
“You might ask yourself, ‘Why would anyone want to hack me?’” said McCleary. “You have to understand that a wide net is being cast by hackers and your devices might be caught in that net. These criminals aren’t pinpointing you in particular, but they’ll send out simple script to two million IP addresses just to see which ones stick.”
The gap between IoT and software security
“With apps and software you tend to have trusted verification sources,” said Saeed. “If you buy something from the Apple store or from Google Play, these companies have dedicated resources that make sure their products aren’t compromised in any way.”
But you have to be careful with IoT, especially in your house, said Saeed. “If you don’t have proper security measures in place, you could suddenly discover that something has attached itself to your devices. And this breach could easily take over your computer or your camera.”
IoT security at a glance
There is a burden on the consumer to make sure their pass codes are strong and effective. And to help them there are standards emerging within the industry that put more emphasis on security issues.
Still security is generally not the first priority when it comes to creating some of these devices.
“It’s incredibly hard to update a vulnerable device with better safeguards once it’s already been installed,” said McCleary. “That’s why security systems cannot simply be ‘bolted on’ after it arrives from the manufacturer.”
Consumer security measures
“First and foremost,” said McCleary, “we can’t be lazy. We can’t take things out of the box and just plug and play. You absolutely have to care about security.
“It’s a little inconvenient, but it’s definitely worth the trouble. If you’ve ever been hacked before, then you realize how important it is for you to have better pass codes and more encryption involved. Take control of your own data and your own security. Don’t rely on a company to do that for you.”
Saeed agrees. “Change your password frequently,” he said. “Make sure you update the firmware of your devices because it’s created precisely to deal with security issues. You’re a lot more vulnerable to threats than you think.”
The promise of the IoT
“The Internet of Things isn’t new,” said McCleary. “There have always been systems in place that connected our devices. But now it’s affecting key, cool areas of our lives such as transportation and healthcare.”
In the past IoT was more about technology and innovation. Now, said McCleary, companies are more customer-centric. “It’s really cool to see how technology really is powered by human beings trying to help other human beings. Keep in mind that when we’re selling products or services, we’re not using machines to sell something to another machine. It’s a person selling to another person.”
“We’ve talked about security in regards to IoT, and we’ve talked about the benefits to consumers, but we have yet to talk about one of my most passionate topics and that is data and data analytics,” said Saeed. “Think about it, when you have a device that’s connected to the internet, you’re able to harvest massive amounts of data. We have the supercomputing capacity now to get really valuable insights to make better business decisions, and to understand customers better and create different products.”
Get ready for a wild ride
“I just have to say, we need to fasten our seat belts and hang on,” said McCleary. “I predict it’s going to be a wild ride for the next 10 years. We are in a position where we can create a future consciously, together, that supports human beings on this planet to have a better life.”
In conclusion, McCleary brought the talk back to why we are so fascinated by the IoT and why it fires our imagination. “I do believe that we can come together and we can create a better future for those that come after us and make our lives count. We can use our intellect and our soul and our heart and our love for people to make this a better place.”
You can watch the video of the Google Hangout for the complete Q&A with Tamara McCleary and Nabeel Saeed. Let us know if you have more questions for them.
https://www.youtube.com/watch?v=aLFFpCOTInY
Try Imperva for Free
Protect your business for 30 days on Imperva.