As the world around us becomes increasingly connected, the attack surface is only set to grow. Dr Mike Lloyd, RedSeal, tells us why IoT is the latest headache for CISOs and offers some advice on how to secure it.
There’s a saying in the security world:’if it’s on the network, it belongs to the CISO’. And CISOs have risen to the occasion, developing and honing a bag of tricks that work reasonably even in the face of morphing attacks and unwitting employees. But now, with increasing numbers of very different devices connecting to the internet, CISOs are realising that their standard bag of tricks doesn’t work on the Internet of Things (IoT).
First, what do we even mean by Internet of Things? I’ve discussed this with several experts in the area and I find those thinking about security have the best definition – ‘it’s IoT when we can’t get standard telemetry’. That is, the best definition I’ve encountered for the Internet of Things is about blindness and lack of knowledge.
We now have the technical means to cheaply put just about any device online. But that very cheapness is part of the problem – IoT devices compete on price and are hemmed in by strong cost constraints. If we connect a lightbulb to the internet (and yes, people do), you can bet the network functionality will be the cheapest version the manufacturer can get. Within that cheap functionality, security is one of the first things to go.
One of the key tricks in a CISO’s bag is updating applications early and often with the latest fixes. But they can’t update a lightbulb, or an industrial turbine, or every medical device in a hospital. Security and patching infrastructures don’t exist for these special-purpose IoT devices. It requires specific expertise and adds expense to keep up with the endless findings of security researchers. As a result, nobody is responsible for managing security updates for all the Things we’re bringing to the Internet.
Other CISO tricks involve installing security agents on every device and scanning networks for known vulnerabilities. But you can’t install a security agent onto an insulin pump, or an industrial controller, or a lightbulb. And, you can’t use vulnerability scanning – the main method for finding known security weaknesses in traditional IT infrastructure. If you do, at best a traditional scanner will struggle to identify the special-purpose device, but at worst, it might even crash the fragile Thing you’re trying to identify.
So, what can our CISO do in this world where traditional techniques don’t work well? It’s not as if a typical organisation can just refuse to go along with IoT – these devices are proliferating rapidly. I’ve found that the best strategies are segmentation and resilience.
Segmentation makes sure that IoT devices have no access – even indirectly – to the outside world. These endpoints cannot be trusted and can’t be forced to run whatever control software you want. Instead, you must contain them, keeping these fragile and risky devices away from each other and anything else they could harm.
That is, as the endpoints get dumber (due to their focus on doing one job well), the network must get smarter. Network perimeters aren’t dead. Rather, they’ve gone everywhere. We now need internal perimeters around all the uncontrollable endpoints in our networks.
Resilience is also key, because perfect protection and containment are not possible. Experienced organisations balance their efforts between protection and recovery, recognising that incidents are inevitable, but serious damage is not. Resilience means understanding your infrastructure ahead of an attack, thinking through how an incident could spread, and building response and containment plans, just the way first responders anticipate and practice for the inevitable bad days.
IoT presents novel challenges for today’s CISO. The three-step strategy recommended here starts by understanding the categories of IoT devices that you use (whether you planned to or not).
Next, realise that standard techniques we use to control general-purpose computers don’t work, and so we have to rely on segmentation. Third, we cannot expect to stop all incidents, so having a well thought out containment plan, based on real knowledge of your environment, is essential to damage control. This is how CISOs can deal with the IoT headache and deliver resilience in this complex new world.