Category: Uncategorized

Will the IoT Mean the End of Defense in Depth Cyber Security?

Searching for a cure for insomnia, I spent the weekend combing through the 162 page report released last week from RAND Corporation,the independent research organization best known for its influence on policy. The report titled, “The Defender’s Dilemma: Charting a Course Toward Cybersecurity,” was fraught with fear and warnings about the impending attacks that will target companies around the world over the next decade. Citing grey and black markets for cyber criminals, the basement hackers and nation states will operate a $2 Trillion dollar Enterprise by 2020. As part of their report, RAND also released what they called a heuristic cybersecurity model to help organizations brace for the financial impact of combatting the future of online threats.

However, there’s a problem with the model. It’s still the same design that focuses on preventing cyberattack, when it’s been proven – OPM anyone? – that cyber criminals are going to get in. With the loss of, well, everyone’s SF86, OPM is clearly out of business. Defense and intelligence leaders, already suffering the worst intelligence failure in history, will no longer trust OPM to store records on their employees.  At OPM, Einstein, the government’s network monitoring and IDS/IPS system was supposed to secure the country’s most sensitive data and cost $3B of taxpayer money to build. But, this article is a great look at why even the best intended government projects usually fail to bureaucracy. OPM didn’t even have a Security Chief until 2013 when the agency hired Jeff Wagoner. Even he had this to say:

“Layers of ‘walls’ to let good guys in and keep bad ones out hasn’t worked very well…When you start tracing a user, any user, through the network as if they were the bad guy, it becomes incredibly real and scary when they realize they don’t always know what the user is doing…Can agencies effectively say they know the data within each application, each function and how they tie together?”

We’ll look at RAND’s model a little closer in a minute. Overall, the report was definitely a worthy read that had plenty of beancounters participating in the final analysis. They note that the sophistication of cyber attacks is increasing as is the breeding ground for hackers to get a foothold into corporate environments. For the purpose of this blog, I wanted to focus on the IoT components of the report, which were as vast as they were uncertain. The RAND report discusses connected devices and BYOD at length, explaining that both of these new technology trends will rapidly expand the attack surface for all organizations and that companies of every size should prepare for the financial impacts of this new frontier in computing. That said, to double down on simply thwarting breaches is futile. RAND seems to keep the focus on building walls instead of knocking them down in favor of real time visibility into network environments.

The report does acknowledge the newer defense postures such as behavioral analysis and even the use of honeypots in more offensive efforts, but they seem to fall back to the defense-in-depth stance throughout the report. Alluding to labor intensive alert monitoring, the report seemed to ignore the need for more visibility (I only found the word ‘visibility’ twice in 162 pages), but that’s exactly what is needed. Home Depot, Target, JP Morgan, what do all of these have in common? They were infected by malware that sat there quietly for months before they were discovered because no one was looking for it. As devices and protocols penetrate every corner of the Enterprise, there is no way to know how they will interact with traditional security or if their presence will even be known to network teams. Fortifying walls and leaving the door unlocked is not a strategy.

To illustrate the vulnerabilities in IoT devices, RAND looked at two notable hacks that have taken place in the last couple of years. The first of these is a Z-Wave attack which debuted at 2013’s Blackhat. In it, malicious actors were able to command and control smart home systems, in essence, allowing hackers complete control of connected environments leveraging the Z-Wave protocol. The second illustration was a smart lightbulb allowing access to Wi-Fi passwords. While these were quickly fixed, RAND used these examples to demonstrate the emerging exploits resulting from the rapid – and insecure growth – of the Internet of Things. Proprietary protocols and poorly tested products, according to the report, will only intensify hackers desires to leverage them as a way into the corporate network.

The study interviewed 18 Enterprise CISOs, and all agreed – they are uncertain as to what really works at thwarting attacks on the network, but acknowledge that it will take a multilayered approach to stay safe. When weighing the numbers to spend on security, RAND noticed that it wasn’t necessarily proportionate to the value of the assets being protected. The number one reason given for more cybersecurity investment was not to keep information safe, but rather to protect reputation. The desire to save face comes amid embarrassing retail and financial breaches in 2014 that damaged stakeholder confidence and heightened public awareness of cyber related issues. But, I’d have to disagree again, Think Tankers. Cyber security, especially in today’s increasingly connected world is existential. Losing data is bad. Losing customers is bad. But when you start to introduce sensors into the mix, you could begin losing much more valuable assets that could directly impact business operations or public safety. To get more into the numbers:

RAND explored the cost of security in the following categories:

• losses from cyberattack

• direct costs of training users

• direct cost of buying and using tools

• indirect costs associated with restrictions on the ingestion of

• BYOD/smart devices

• indirect costs of air-gapping particularly sensitive subnetworks.

The outcome? A predicted 38% increase in cyber security costs over the next decade. The biggest impact would result not from the cost of a breach, but rather the cost of the people, policies and products that will be necessary to address emerging challenges. RAND refers these as “instruments”; tools, training, BYOD/smart devices restrictions, and air- gapping reigned as the most effective safety nets for organizations. Not surprising, their model highlights that the more connected the business is, the higher the risk. In the graph below, they highlight the dramatic rise in costs for ill prepared IT teams that venture into the IoT without the right instruments.

The report concludes by reiterating the need for CISOs to be aware of the increasing market for illicit sale of vulnerabilities, exploits and valuable corporate data, but remind executives to remain optimistic about the progress being made in software. Cybersecurity, in some ways, has improved dramatically since the 90’s when SATAN, COPS, and Internet Scanner were all the protection available. However, we’re also not looking at the same 1M node Internet as we were in the 90’s, which means that we have reverted to a primitive state in network security. Either way, the RAND report gives enough statistical research to warrant a PhD to read, but it serves as an excellent wake up call for CISOs to start raising awareness in the boardroom about the growing challenges and costs that are coming to fiscal budgets.

Connected Medical Devices Can’t Call in Sick

One of America’s greatest contributions to society in the last 100 years has been advancements in medical care. This furthering has been made possible, in large part, by our achievements in technology. So, it should be no surprise that the two have become explicitly intertwined; medical technology has given way to incredible improvements in cost, efficiency, and patient health. However, this marriage of computers, communication, and devices has not come without challenges. TV shows have hypothesized about the hijacking of a vice president’s pacemaker, but are devices really vulnerable or is this just a theatrical plot line for primetime drama?

In May of this year, TrapX Security, a cyber security defense company, released a report on MEDJACK – an attack created to illustrate the vulnerabilities in medical devices. In testing three devices commonly found in critical care departments, TrapX found that they were all being used as an entry point to the hospital’s network and that data was being exfiltrated from the hospital’s’ databases. In many cases, the malware identified was old; variants of Zeus and Citadel were specifically called out. Data exfiltration is one thing, but the hackers from TrapX also found that the malware could alter patient records and potentially compromise the devices themselves. Other researchers are taking note of these physical vulnerabilities. This Wired article released yesterday details the ability to hack dosage parameters on a Hospira pump.

Of course, bodily harm is rarely the desired endgame, and the motivation for the recent attacks on hospitals comes down to basic greed. Electronic health records, or EHRs, can often sell for $50 or more on the black market. This is a far greater payoff than traditional credit card numbers, which are lucky to fetch a buck in today’s underground economy. EHRs are particularly attractive because of the amount of detail that they can hold about a patient – social security numbers, banking information and most importantly your medical ailments – as seen in the recent Anthem and Blue Cross breaches. This holistic information allows crooks to use your medical identity to acquire drugs or medical equipment which can be sold for additional monetary gain.  Hackers have become creative, with data hostaging of photographs and data en-vogue today, its foreseeable that medical devices could also be held hostage for ransom.

Battling data thieves isn’t the only challenge facing hospitals today, they must also contend with the bureaucracy of being the most regulated industry in the country. All medical devices must be approved by the FDA prior to going to market, and it is this scrutiny that requires manufacturers to lock down all aspects of a device, thus creating an internet connected “black box.” In fact, the majority of medical devices in hospital settings are operating 24/7 without any visibility or control by hospital security staff. Since medical devices are manufactured and FDA approved with a high level of specificity, these devices can only be serviced and maintained by the original manufacturer. Combine these OEM resource limitations with the high level of need in critical care departments, and it’s little wonder why patches and security updates often go undone for long periods of time.

The OEM blind spots aren’t exclusive to medical care. In one our own pilots, we routinely find third party products with an open wireless connection that was completely unknown to IT staff. As companies look to improve efficiencies and leverage data coming from costly infrastructure investments, the security and connectivity of these OEM sensors need to be known and monitored in order to maintain the integrity of the network. Of course, it might be pie in the sky thinking when you consider the billions of connections that will invade the corporate environment in the coming years.

As we continue to connect sensitive environments, it becomes harder to take this critical infrastructure offline for regular maintenance. It’s one thing to not be able to send emails while IT upgrades a server, but to patch the blood gas machines in the ICU will take careful planning. For now, we may have to settle for simple awareness. Unfortunately, this will likely mean more data breaches, but I’m hopeful that progress will be made before we actually see patient health impacts.

OpenDNS Report Details the Enterprise Risk of IoT

This week OpenDNS released a report on the Internet of Things and Enterprise security. I found this report to be one of the most thorough, yet troubling, to date. I wanted to use this blog to summarize the findings and provide some context in which Enterprises can approach safety and the Internet of Things.

The report highlights a number of key areas. The first of which most companies are already aware of – the IoT will introduce new avenues of exploitation for all sectors of business. Perhaps one of the most troubling points in the survey was that of the 500 IT environments surveyed, 23% reported having no controls around IoT devices connecting to the network. I would argue that even of the 77% who claim to, in practice have no ability to enforce these  controls. This is a catastrophe waiting to happen in some of the world’s most sensitive verticals. The report specifically calls our higher education, managed services and the highly regulated healthcare industry as the most connected companies it observed.

In looking at healthcare for instance, the report revisited the Samsung Smart TV, which was the subject of a blog that I wrote a couple of months ago. Samsung’s Smart TV privacy policy indicated that the TV was constantly monitoring voice activity and transmitting this information to a third party. While this function can be turned off, it’s unlikely that many companies do it. After all, it negates the point of a SmartTV. OpenDNS decided to test the TV; their results found that the TV was beaconing even when not in use so long as it was powered on. To add fuel to the fire, the TV also beacons to a domain using an untrusted certificate, which the report notes has no logical use case. While the research didn’t find anything inherently malicious about the TV’s beaconing, it’s important to note that this is just additional information for hackers to monitor use. Likewise, these TV’s have a microphone and a web interface, making them a perfect – dare I say easy – attack for a targeted hacker.

Andrew Hay, the report’s writer, also went on to explore the number of consumer devices entering and connecting to the corporate infrastructure. While they removed the data from FitBit’s for the purpose of the report, OpenDNS notes that the majority of the 70B daily Internet requests that it examined from Enterprise companies came from not just TV’s, but from consumer products like FitBit, Nest, and Western Digital’s cloud service. These types of consumer services are keeping company in what OpenDNS called “Bad Internet Neighborhoods.” According to Hay, these IoT devices are being hosted in environments that also house malicious domains and some are even susceptible to vulnerabilities such as Heartbleed and FREAK.

Of course, these problems will only perpetuate as IT departments struggle to identify these holes in their environment. And even once detected, some of the vulnerabilities remain outside of IT control. Patching, for instance, isn’t feasible with consumer devices. And especially in healthcare, many of these IoT devices were never designed to receive patches.

IoT is in the enterprise, and it’s penetrating deeper into the most sensitive verticals. DNS is an excellent instrument to identify the existence of devices and monitor them for malicious behavior; perhaps the important first step is in the detection of these devices and a layered approach to this detection and security. Finally, Hay recommends that Enterprise companies move beyond BYOD and develop a comprehensive IoT policy for employees. Of course, with the majority of new employees entering the workforce being accustomed to an “always on” lifestyle, policies will be disregarded. The main takeaway from the report lies in the data. This is a great instrument for CISO’s to take to the boardroom to reinforce the need for continued investment in IT security.

Smart Cities Could Mean Metro Mayhem

The world is awaiting the idea of the smart city; a city digitally connected to its residents and operators to provide an enhanced quality of life and cost savings. South Korea, Barcelona and now India are all boasting about their cleaner, greener and yes, smarter, city projects. And, while the idea of digitally driven cities is less common in North America, there is a growing momentum behind the idea, driven in large part by the massive growth and interest in the Internet of Things.

Frost and Sullivan estimates the Smart Cities market to grow to 1.5 Trillion, but its unclear how much of that will be spent on security. What is clear is that without the proper security supporting these technical advances, the result could be chaos in the city. So, while communities enjoy free wifi to enables apps that find open parking spots from beaconing meters, are city leaders and residents alike truly ready for the security risk that comes with smarter urbanization?

My own city fell victim to a hack of public property when a digital billboard in one of Atlanta’s busiest intersections displayed lewd images for all of Buckhead’s citizens to see. The prank isn’t new; as a matter of fact it was shown at DefCon in 2013 and since then a number of how-to articles have made their way online. While a billboard has no ability to truly harm people or infrastructure, it is an example of the insecurities in the connected, public domain. The following year at the same conference, Cesar Cerrudo of IOActive demonstrated how easy it was to completely control traffic lights in major cities like New York and DC with less than $100 worth of equipment. Weak passwords and poor encryption make commandeering our traffic systems all too easy – and worse yet, remotely.

And we’re only at the beginning. Wellington Webb, former mayor of Denver, said it best; “The 19th century was a century of empires, 20th century was a century of nations and 21st century will be a century of cities.”

As the burgeoning population makes life less bearable in major cities, leaders are turning to technology to help ease the pain. If you’ve ever traveled on the tube in London, then you’ve heard the voice announcing that your train will be late for one reason or another. It’s for this reason that London has decided to completely revamp their tube system by leveraging IoT. This is on top of an already hyper-connected cityscape, including the largest CCTV network in the world and real-time traffic and air quality monitoring. You can even see how many bikes are available for rent in a city-wide data dashboard.

I’m sure that all of this instant information is great for app loving Millennials that thrive on knowing the easier, faster or better ways to get what they need, but could all this ubiquitous sensing birth a new breed of criminal? Smart Cities mean Smart Homes, and our own research has been able to bypass wireless security alarms, silence door chimes and render locking your vehicle impossible with a device purchased off of Amazon. And, according to a recent article, should such personal property violations occur, the police might be slow in responding due to potential vulnerabilities in connected police cars.

And then there’s the big one, the one that could cause major damage on a global scale – an attack on critical infrastructure. Real time smart metering on water, energy, gas and oil via embedded technology widens the attack surface of our utilities exponentially. However, it also provides great data to help municipalities conserve resources and save tax-payer money, but that will need to be balanced to ensure public safety. And, while this entire blog has been riddled with FUD, it’s important to note that the good guys are doing something about it. Recently, my company joined Securing Smart Cities, a not-for-profit brainchild of Cesar Cerrudo of IOActive. The organization is comprised of several companies and cyber experts that realize the necessity of getting ahead of the risk that could come with smarter cities.

We all want to live in communities that are fiscally and socially responsible. And as we turn to technology to improve our quality of life, we must remain vigilant to it’s compromise from the bad guys.

The Mile High Club, of IoT of Course…

A very elite club was just created by Chris Roberts, if his allegations of commandeering an airplane are true. Modern day transportation relies heavily on remote access to the outside world…and consumer trust. These two things have been at odds recently, ever since the world read a tweet from Chris Roberts, in which he jokingly suggested releasing oxygen masks while aboard a commercial flight. Whether or not Roberts was actually joking about hacking the aircraft is up for debate, but the move led the Government Accountability Office to issue a warning about potential vulnerabilities to aircraft systems via in-flight Wi-Fi.

What may be of more grave concern is that Mr. Roberts claims that he dismantled passenger seats 15-20 times, plugged in a CAT6 cable and fired up Kali Linux, or at least that’s what’s said in the search warrant. If I were the passenger sitting next to him, it probably would have resulted in a call the flight attendant to notify the air marshal on board. As a pilot myself, having a passenger issue a climb command and remotely monitor the cockpit would be disturbing to say the least. But, maybe he did. And perhaps this is a wake up call for all transportation industries to heavily consider security before they implement Internet connectivity.

While the aviation industry is downplaying the claims, United Airways (the airline that banned Mr. Roberts for his attempt at in flight humor) is taking security seriously. The airline has issued a bug bounty, compensating hackers with flight miles for reporting vulnerabilities in United’s tech team. Though, and it’s important to note, there’s no reward for debugging anything having to do with in-flight Wi-Fi or on-board systems. They’ve even gone so far as to warn that any attempt to access live systems would result in criminal consequences.

While I agree that we don’t want every 16-year-old script kiddie trying to tamper with people’s lives at 35,000 feet, we do wonder if United or any of the other major carriers would be willing to park a plane at Black Hat. Surely if they were certain that there is no way to exploit the pilot’s aviation systems, they would be willing to allow expert researchers to have a look while the plane is on the ground? Tremendous insight and overall global information security could only improve if a major carrier or manufacturer hosted a hack week on a Dreamliner on the tarmac at McCarran international.

I’ll issue that as my own personal challenge to security minded commercial airline companies – allow these white hats access to a plane in a safe location so that you can be certain your passengers are safe. Right now, we’ve got claims, and refutes, but no one is really saying much more than that. Remove the doubt.

As for the concern at hand, this isn’t the first time that white hat hackers have claimed to be able to access, and potentially control or damage commercial aircraft with simple methods. In 2013, a hacker by the name of Hugo Teso debuted an Android phone app at Hack in the Box, the Amsterdam con that draws thousands of security researchers, claiming he could override the autopilot from the smart phone. By simply pushing a message through the communication system (ACARS), which he claimed had no security, and that the exploit could actually be done remotely from the ground. This was all done in a lab, of course. But, it was a strong thesis. And for those that are wondering about the app – it was never intended for public consumption.

For now, the good news remains that these guys are on the right side, having no other motivation than to make air travel safer. But as we move into a world where transportation is more heavily reliant on Internet communication and embedded sensors, these types of vulnerabilities will have the potential to fall into the wrong hands with devastating consequences. This is why IoT security has to remain first priority, above and beyond any conveniences or cost savings.

And for the record, if Chris Roberts did in fact breach a plane in flight, I do not ever condone that by any person – no matter how smart or well intentioned. I’ll leave by once again reiterating my offer to the airlines. Park one of these on the ground and let us help you make air travel as safe as possible.

Forget Back Doors – The IoT Makes it Just as Easy to Come Through the Front

The alphabet soup of acronyms describing the coming connected world is a signaling that is time get brush up on your security lingo, because the world is changing. IoT, M2M and ICS devices introduces an incomprehensible expansion of exploitable attack surfaces. Historically, information security has been defined as a perimeter of security around your most valuable IT assets. This security included different layers of protection for various areas of vulnerability.  And while there is still a very healthy and innovative market for traditional information security, the ecosystem is changing and an increasing number of new threat vectors are being established. There was a time when security only needed to consider exposed web services as an attack vector. With the IoT, the attack surface expands beyond the web into hardware, multiple operating systems, multiple protocols and the cloud. Where there was one, now there is five…or more.

There are security companies that have introduced solutions to fix some of these gaps in protection. For hardware security, the market is steadily embracing MDM technologies.  These smart operating systems with very clever agents allow organizations to secure data on mobile devices, remotely wipe them, and give individual access control to company assets.  This seemingly convenient way to allow employees to use their own preferred devices has proven helpful, however some Millennials in the workplace are beginning to object to the idea of “the man” having so much control over their personal devices. Just recently, a woman was fired for removing an app that tracked her whereabouts 24/7. The workforce management app seemed a little too “Big Brother”, which may well have corporations moving back to issuing company devices to employees. Of course, it doesn’t matter who owns the device – security at a device level still relies on an agent. As we move from a network of computer, tablets and smartphones, towards a network of billions of connected “things”, installed agents simply can’t scale. The end result will be a multitude of unprotected “things”

Protocols are also problematic…and profuse. There are more than 100 wireless protocols of the IoT that are invisible to the enterprise – even those companies using the most sophisticated security measures. The tools and technologies being used today protect environments from wired and Wi-Fi threats, in a couple of years, these will be the least of your worries. An office building with 5,000 employees, each with 20-40Mb/s LTE of connection, essentially has a 10-20GB/s of Internet connection that is completely invisible – and this is just when considering personal cell phones. Of greater concern are the smaller, more fragile protocols that exist in the enterprise and operate quietly without causing much anxiety.  An example of this would be ZigBee. I have seen an engineer brick a ZigBee light bulb within minutes of unpacking, simply by sending malformed packets. This would be the equivalent of a telnet connection to port 23 of a router, holding down CCCCCCCCCCCCCCCC, and the router being destroyed, with no chance of repair other than being sent to the factory. I’m certainly not picking on ZigBee, they are just one example protocols that exist in the enterprise that could be vulnerable to basic attacks.

In another example of IoT vulnerability, our R&D teams analyzed an IoT deadbolt lock. We were surprised to find many more doors into the product (no pun intended) than we expected. When we decompiled both the Android and iOS versions of the management software for the device, we discovered that these were clearly developed by several different teams and it appeared that the testing was done on individual pieces of the product, but a full code audit wasn’t done on the product as a whole. This meant we could use the app to access not just the hardware, but also the manufacturers’ servers. As more companies outsource development of various product layers, the attack surface will continue to expand.

In the examples I’ve talked about, it’s clear that there is still work to be done with IoT hardware, applications and protocols. But, perhaps what will be most paramount to IoT success is the cloud. I have a startup, and we don’t own a single server, no need to in 2015.  IoT devices don’t want a server, they will communicate through a gateway, or as in my prior reference through a mobile application. IoT devices will pair, provision and license through the cloud.  When credentials or other key security parameters can be extracted, wirelessly, through packet sniffing, or even the unbelievably common practice of hard coding credentials into mobile apps, the provisioning of these devices can be compromised. Just ask any of the Snappening victims how much devastation can be done by neglecting basic security encryption.

What does this mean for you? We are all in a Brave New World when it comes to security and the IoT. We are surrounded by blind spots that have the potential to be seen by the bad guys before the rest of us. For Information Security professionals, it’s imperative that you prepare for intrusions to come from multiple angles.

Top 10 Internet of Things Tweets at RSA 2015

It’s been a great two days of information sessions and expo mingling at the 2015 RSA Conference (#RSAC) in San Francisco. In conjunction with our first birthday, Bastille is debuting at RSA in booth S2426, and demo’ing our IoT security solution for the 30,000 security professionals in attendance. The trade show isn’t nearly over, but one thing is clear – IoT is hot. An RSA spokesperson acknowledged that speaking submissions for IoT-related topics were up 450% compared to last year; and Twitter has been a-buzz with IoT chatter.

Without further adieu, here are our Top 10 IoT Tweets from RSA 2015 (so far):

10.

9.

8.

7.

6.

5.

4.

3.

2.

1.

How the IoT Has Invaded My Life

It is impossible to create a usable environment that is 100% free from risk. Whether in your home or business, the cost of embracing technology is accepting some risk via new IT services. The more services in use, the more vectors are created for bad guys to exploit.

The corporate computing environment is incredibly complex. Think about what it takes to service tens of thousands of workstations and servers. It involves layer upon layer of infrastructure such as routers/switches, core services such as service directories (DNS/LDAP/Active Directory), and ingress/egress technologies such as proxies and firewalls. Each of these layers requires dedicated experts to manage and deploy, but the mitigation of risk created by these layers is the job of the lonely and often understaffed InfoSec group.

Now consider a much simpler environment, the common home. Most people do a pretty good job of locking their doors and windows to create some barrier to entry. But as they add more technology to their home, they too are increasing their risk. As I look at my own environment, I see a multitude of vectors that have been created by various Internet of Things (IoT) devices:

• A wireless security system that is powered by Bluetooth and wifi, has mobile phone control to arm/disarm, and sends alerts before the police arrive.
• Wireless cameras connected to the cloud
• Yard controls that allow me to turn my heater, lighting, and irrigation on/off via a proprietary wireless transmitter connected to the cloud
• TVs and ROKU/Chromecast-like devices that connect via Bluetooth and Wi-Fi to create their own networks in order to share content.
• Wearables have invaded my home. Three family members now monitor their vitals with FitBit, ihealth and other products, each transmitting sensitive data to the cloud.
• We are even tracking how we dribble basketballs and kick soccer balls due to Santa bringing my kids the latest IoT enabled sporting toys.
• One family member recently had a wireless heart monitor surgically installed that uploads vitals to a web site for their doctor to view.
• We have about a dozen smartphones, tablets, and laptops constantly connected and getting infected by malware.

Think for a minute how my once secure home has been opened by this new era of IoT connectivity. We already know that wireless home security is vulnerable to hacks. By connecting household controls, I’m – at minimum – opening myself up to allowing outsiders to see my daily habits, ultimately being able to profile my comings and goings.

Having been previously tasked with securing a Fortune 100 infrastructure, risk is constantly on my mind and I am waging a friendly battle with family members to walk the line of security and convenience, urging them to turn off services that are not needed, change passwords, etc. I try to put our mobile devices on a separate network so my personal files are not easily exposed. But I know the risks given my profession, many other families are oblivious to the tradeoff between the conveniences of connectivity and safety.

Companies may not have had an influx of IoT into their environment at the same pace as I have witnessed it in my own world, but it is like a freight train barreling towards them. The same technologies that have enabled my personal world to be more connected and useful are quickly being positioned for use in the enterprise. Employees are bringing new devices in en masse. Departments are looking to manage infrastructure with new sensors and controls. The major industrial control manufactures and integrators such as Honeywell, Emerson, Schneider Electric, Siemens, GE, Tyco etc. are touting how they have embraced the IoT. The time is now to start thinking about how to embrace the IoT in the environment by surrounding it with security.

FTC Report on IoT: The Debate over Opportunity, Liability, and Privacy

Over the weekend, I combed through the FTC’s recent report – all 71 pages – on the Internet of Things (IoT), entitled, The Internet of Things – Privacy and Security in a Connected World. 

Everything that I had previously read online about the report didn’t reveal anything novel about IoT that I had not already heard – or said myself. But since it took the FTC over a year to produce, I thought a close inspection of the report was warranted. Surely there would be some nuggets of substantive information lodged within six-dozen pages of bureaucratic conjecture, right?

Luckily for me, Ofcom, the communications regulator in the UK, also released a similar report just days before the FTC, which I also traversed through for comparison purposes. In the end, neither report, by and large, produced any earth shattering revelations or actionable advice. Both were not much more than a situation analysis at best.

Nonetheless, there are four key takeaways central to the report worth discussion.

Key Takeaway #1: IoT Holds Promise

In what comes as no surprise to the IoT enthusiast, both reports proclaim healthcare to be the industry that stands to benefit the most, from IoT, mainly through embedded devices. The idea of instant, data driven reporting to doctors will provide a huge leap forward in the treatment of chronic conditions, like diabetes. The idea that people will no longer have to rely solely on patient reporting means that healthcare treatments can become more timely and accurate, potentially yielding a significant improvement to patient healthcare and a cost savings for doctors, hospitals and pharmaceuticals. Both reports also speculate transportation and energy to be the secondary industries to see the most benefit from IoT. We already know this to be true, as major enterprises like GE and AT&T are steadily driving Machine-to-Machine innovations (M2M), also referred to as the “Industrial Internet of Things.”

Additionally, we’re already witnessing rapid adoption of any and all IoT by consumers. In fact, IoT is exploding so rapidly that, Gartner expects there to be a quarter billion connected cars by 2020! Other devices, such as Smart TV’s, IoT fitness bands and digital thermostats like NEST are also gaining popularity en mass.

But as the FTC appropriately states, the one barrier to IoT reaching its mass-market potential is directly correlated to the degree in which they are successful in the establishment of consumer trust. Ultimately, if people don’t feel safe with the constant communication of IoT devices, then that person is likely to impede adoption. Whether he or she is a CIO that is leery of a new industrial control system, or a consumer worried about their healthcare data being compromised, IoT vendors must continue to make strides that reinforce consumer confidence in their products.

Key Takeaway #2: Developer Liability is Minimal at Best

Both the FTC and Ofcom strongly recommend that IoT device manufacturers start producing devices with “security by design,” meaning that security must be considered at the onset of product development.

However, in somewhat of a contradiction to this recommendation, the FTC openly questions whether or not device manufacturers actually have the security experience and expertise to really ensure that products coming to market are safe. The FTC also cautions that many devices are inexpensive or “disposable,” essentially calling into question whether the threat assessment and internal productivity outweighs any reward of consistently patching new attack vectors each time one is discovered.

As you might suspect, billions of connected devices have increased the attack surface exponentially. In fact, 2014 was referred to as “the year of the hacker” by multiple news outlets. But what many people don’t know is that the Home Depot and Target breaches are actually the result of exploited IoT within the enterprise. Of course, there were also notable IoT breeches to consumer devices in 2014, German researchers, for example, were able to hack a smart meter to determine what TV shows you watch. Hackers even heckled a toddler through a baby monitor and a third party app proved to be a playground for misuse.

One of the most critical discussion points left out of the FTC paper, but highlighted in the Ofcom paper, was the IoT communication infrastructure. IoT devices are currently operating on a broad range of the RF spectrum. While the report noted that availability would not be a barrier to the success of the IoT, it did bring up the long-term viability of available bands. The same holds true to for network availability for all of the millions – potentially billions – of devices in our future.

Simply put, enterprise security and detection for devices that operate on the wireless spectrum outside of Wi-Fi is non-existent; making corporations highly susceptible to increasingly sophisticated adversaries with tangible motives.

In my opinion, both reports were void, probably intentionally so, of actionable advice; reinforcing my belief that we’re still charting new territory. The truth is simply that none of us, including the FTC, fully know or understand the extent for which the unintended consequences of IoT will shot its ugly head. That’s probably why the FTC also decided that any government regulation at this point could stifle innovation,, more than ease consumer concerns. So, Americans will still be faced with a buyer beware scenario, at least in the short term.

Key Takeaway #3: The Parable of Privacy – IoT is all about Data

The word parable is often used to describe a story intended to teach a lesson. Perhaps the greatest lesson we have yet to learn is how to truly protect our data. As the IoT ushers in modern conveniences like not having to call our doctors to report pacemaker information and provides us with the ability to access enterprise control systems remotely – the real value for adversaries will reside in the data that is being collected and if they are successful at manipulating it to meet their purpose.

In a sense, IoT devices are really just a courier for data flow, allowing us to analyze trends and, ultimately, make more informed decisions about our lives and our businesses. In order for this to happen, however, we must not only agree to give up our data, but also allow it to be transmitted to our vendors – and potentially their vendors – so that in turn, we can access actionable insights into our performance. But, how much of our data should be up for grabs?

Data privacy was one of the most contentious issues addressed in the FTC’s report.. Device manufacturers are looking to harvest as much data as they can, seeing infinite possibilities for future product enhancements and offerings. However, the FTC warns that any accumulation of data only serves to make companies and consumers more attractive to criminals that want to misuse it.

The FTC thus recommends data limitation – only collecting what is necessary and destroying data after it’s needed; in addition to plainspoken privacy statements and opt-in abilities for consumers to choose what they share. Of course, we encounter so many of these lengthy documents (averaging around 2,500 words) each year that we rarely have the time to read them. But as long as consumers are willing to give up everything in the name of convenience, which many Millennials have proven they will, IoT device manufacturers will continue to collect all available information to profit off your patterns in the future.

As the entirety of the IoT market now hinges on consumer adoption driven by trust, it’s probable that manufacturers will advance their focus on security to some extent, just like the FTC recommends.

Key Takeaway #4: Prepare for the Debate to Continue

I found it both interesting and also annoying that the FTC used the word ‘reasonable’ 32 times, calling on IoT providers to implement “reasonable security,” meet “reasonable privacy expectations,” and offer “reasonable data protection” for IoT devices. The use of this subjective adjective ensures that the conversation around what is reasonable will continue.

The FTC report, in large part, is nothing more than a starting point for a debate on IoT and the security concerns it creates. Those of us in the industry likely read the report and were disappointed or surprised by its actual content. But in hindsight, what exactly should have been expected? It’s likely that we’ll need to see more substantial breaches from the IoT before we ever get a clear definition of what’s reasonable in our connected world.. It’s something that we all must consider, individually and as businesses, what exactly constitutes reasonable risk for the rewards of technology.

Five Ways IoT Will Impact Your Business This Year

The Internet of Things has gained historic momentum and exposure since the last quarter of 2014. No longer are there differing opinions around viability – general consensus is that IoT is here to stay. Beyond staying power is the staggering amount of growth that is expected in the coming years. If you follow IoT, which you likely do if you’re reading this blog, I’ll just simply reiterate that there will be TENS OF BILLIONS of devices in a market worth TRILLIONS of dollars in the next five years.

But, what about this year? There are five ways that IoT will impact every organization before the year is over. 

Network Bandwidth – Gartner predicts that the average enterprise network will see a 28% compound annual growth to bandwidth through 2017 – a demand nearly 20 times larger than what was required in 2012. IDC predicts that by the same year, networks will go from having a surplus to being constrained, forecasting 10% of companies will be overwhelmed. Bottom line, your pipeline is already handling more than imagined with video and application demand, now imagine putting a funnel on it to bring in even more traffic from RF connected devices. This could disrupt business continuity and should be addressed and budgeted for in the short term.  Consider also, the incredible network bandwidth 4G/LTE devices bring into the enterprise.  I carry an iPad and iPhone, laptop, FitBit, and Bluetooth headset typically.  My 2 LTE devices have about 20Mb/s of bandwidth apiece.  In a building with 5,000 employees you are talking about 100Gb of potential outbound data leakage via RF.

Data Risks – Big data just got bigger. Corporations looking to connect devices from to the Internet and harvest the data will have to consider what pieces of information are really valuable. This will usher in a new need for analysis, storage, and security. For instance, if your HVAC system collects operational data, do you need to analyze all of it, or just your data centers and other high consumption areas? It remains to be seen just what the impact will be to having so much data once the enterprise looks beyond their industrial infrastructure. Wearables and BYOD devices, whether company issued or brought in by gadget junkies, will mean a steady increase of data moving on the corporate network. Some of this data will contain sensitive information that, if intercepted, could lead to embarrassment or financial loss. Bottom line, corporations must plan for data implications – storage, analysis and not becoming the next Sony.

New Threat Vectors – The news isn’t good, folks. Retail was hit the hardest in 2014, costing Target and Home Depot millions, and this year it’s predicted that healthcare should be ready to claim top spot for data breaches in 2015. With embedded devices and decentralized mobile computing transforming patient health and reducing costs, it’s not surprising that hospitals and medical devices would be prime targets for exploitation. But, the reality is that every connected device presents an opportunity for misuse. Hackers will seek to exploit insufficient security in rushed-to-market products to steal data or spread malware. Corporations and consumers alike should get used to this ‘Brave New World’ where we gladly forfeit security for convenience and efficiency. The mesh foundation of protocols and platforms will just prove to be more opportunity for the bad guys. It will be very important for organizations to know their traffic patterns and be able to quickly react to anomalies. The average breach takes months to discover – and this survey shows that it could be, in part, due to only 20% of companies continuously monitoring their traffic.

Patches – IoT sensors are small and dispersed by design, which is what allows them to spread far and wide like little data collecting honeybees. This compact nature is great for gathering lots of data and intelligence, but it also means that IoT sensor computing power (which affects battery life) must also be small. Because of this, over the air updates are challenging and patches on many IoT devices must be done manually. Unfortunately, when updates require human intervention, there is not only a drain on resources but also an additional layer to consider in patch management policies.  The enterprise struggles to keep up with patching today, but in 2020 we are talking about TRILLIONS of patches a year; entrepreneurs note, there’s probably a new startup there ‘GigaPatch’.

Dark IoT – There has been a lot of media around the dark web lately with the prosecution of the founder of Silk Road, a marketplace for just about anything illegal or immoral. The truth is that Silk Road and its variations are just people using the Internet for bad, just as hackers have used exploits for harm. With all good comes some bad, and this is true for IoT. The promise of efficiency, cost savings, and increased convenience also brings forth the prospect of harmful IoT products. For less than $100 you can get an IoT keystroke logger (cleverly disguised as a phone charger) to record the typing from wireless keyboards. This is just the beginning of embedded devices being used as vehicles for wrongdoing.