zentilia - Fotolia
Security researchers at CeBit recently demonstrated how they were able to easily hack a, well, let's just call it a Bluetooth-enabled "personal massager" and leave it at that. While they were sure to point out that such a feat may seem rather innocuous, an attacker might be able to breach the back end and then potentially blackmail the manufacturer.
Because of the somewhat salacious nature of the hack, it underscores a point worth making about the ever-buzzworthy topic of sensor-based devices: It's clear that for most device vendors, security is still taking a back seat to speed to market. And while this has provided plenty of grist for humorists, the effect of poorly conceived and executed internet-connected home and business devices extends far beyond satire.
Thus, it's up to us IT professionals, the gatekeepers of security -- if not sanity -- in our organizations, to more often and more explicitly raise the security umbrella and point out that implementing secure internet-connected gadgets requires both strategic and tactical actions. Strategic because if our organizations have even an inkling they might consider the technology, then policies and procedures need to be hammered out now, before the first device even enters the doors; and, no, the CEO's new fitness watch doesn't count. And tactical because there's a high likelihood the first thing has already entered the doors and you just haven't been told about it -- or accidentally stumbled upon it -- yet. So, you need to take action now to find and manage those devices.
Strategy is the more difficult challenge of IoT device management
Strategy is the more difficult of the two. Strategy takes time. Strategy requires you to navigate office politics, obtain management buy-in and deal with a lot of questions. But strategy is also what's going to ultimately save your business by helping you avoid a massive breach. So, not only am I not skipping the strategic side of this conversation, I'm putting it first.
In my not-so-humble opinion, your corporate policy regarding internet-connected devices -- defined as anything beyond smartphones, tablets, laptops and watches that connect to networks, be they the internet, corporate, personal, Bluetooth or otherwise -- should start with a framework.
To be considered, vendors must commit to:
- Certifying the security of their device.
- Publishing changes in advance of each new version of the device's operating system.
- Informing customers when they are changing the choice of hardware components and subcomponents for future production runs of the device.
- Provide a manual or internal update process as an alternative to an internet-wide push.
Meanwhile, corporate adopters -- departments or the management sponsors of the project -- must agree to budget for both funds and staff, which allow for a security umbrella that includes the following:
- Security review and testing, including penetration testing, as part of the adoption cycle.
- Ongoing reviews and testing of the vendor's hardware and software updates prior to rolling to production.
Lest you think I'm naive, I admit what I'm suggesting is a complete pain. The security umbrella is going to increase the cost of ownership of internet-connected devices significantly. It's going to create friction and frustration among management, who want the benefits, and IT professionals, who don't want the added hassle. But what I'm suggesting is also the only logical way forward. For us to believe doing it any other way will lead to anything except sadness and pain borders on gross negligence.
Tactics are the other part of the equation
Now that you have a sense of the kind of planning that's needed long term, let's focus on what you can put in place right now.
I want to start with something you should already have in your toolbox: a NetFlow analyzer. Central to the NetFlow protocol is the ability to expose conversations, or the transfers of data between two specific endpoints via the same port and protocol that are occurring across your organization. NetFlow is most commonly used to figure out where large bandwidth usage is going, but it can be just as easily used to track the hundreds or thousands of small conversations. This means you can leverage one of the tools you likely already have to identify internet of things-like behavior in your environment, as well as monitor which external sites are receiving connections from inside your security umbrella environment.
Another tool you should have -- but many organizations don't -- is an IP address management (IPAM) tool. While this is a must-have for organizations of any size, the introduction of things gives you one more reason to love the tool you have, or justify the one you need if you're unlucky enough to not already have one. Why? Because internet-connected devices take up IP addresses -- a lot of them. Additionally, these gadgets have media access control addresses that fall within a single vendor's grouping. So, your IPAM tool can help automatically identify and report on devices in the course of the normal operation of business.
Finally, the last tool in your tactical arsenal is a relative newcomer to the monitoring party: deep packet inspection. DPI is similar to NetFlow in that an interface in the middle of thing traffic is used to slurp up packets and analyze them for the source and destination IP, port and protocol. This information is used to categorize the packet by usage, including business application, social, streaming media or whether it's potentially malicious. The intended use case is to determine whether packets are moving slowly due to a network issue or a problem at the application level, but the applicability to thing traffic should be obvious.
Why it matters
This is all very important because we're not really talking about the hacking of a "personal massager" here, or at least not just that. In the last 12 months alone, we've seen significant security flaws exposed in children's toys, baby monitors, corporate HVAC systems, cars, pacemakers and insulin pumps. In short, we're talking about significant personal safety and corporate security risks here.
So, tell me again about how much of a hassle it's going to be.
Understanding the evolution of security
Using big data to manage NetFlow
Tackling IP address management challenges