IoT security: It's not to late to get it right!

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.scmagazine.com/iot-security-its-not-to-late-to-get-it-right/article/403505/

On January 27, 2015, the Federal Trade Commission (FTC) issued a report on
proposed best practices for businesses to protect consumer privacy and
security in the Internet of Things (IoT) world.  Among other things, it
addressed what reasonable security for IoT devices should be, advocating
processes it calls “Security by Design.” Legislators may be calling for
manufacturers to earn the trust of consumers by hardening IoT (i.e.
embedded devices), but until we address the reasons why they're not already
being built with security in mind, not much is likely to change.

> From a technology perspective, one of the main reasons why IoT devices are
insecure is because most of them are built on Open Source operating systems
and software, which often consists of old (and hence vulnerable) pieces of
code rarely checked by the manufacturer. Fixing this problem would place a
major drag on the fast track to market IoT products are currently on.

As much as I applaud the FTC for making security a priority, its
recommendations are light years away from where the current IoT security
bar is. If implemented in full, the added cost of Security by Design could
have such an impact on the economics of bringing these devices to market
that it could either a) make them cost prohibitive to consumers or b) no
longer offer attractive returns to manufacturers.

Hopefully it won't take a major IoT breach to mobilize manufacturers to
implement Security by Design.  And bear in mind - while the IoT may still
be in its infancy, the Internet of Things is already here. According to the
FTC, Internet of Things is expected to expand from 25 billion devices by
the end of this year to 50 billion by 2020, which begs the question – when
are we going to get serious about IoT security?

Security needs to be woven into the fabric of all IT systems – end of
story.   While we may be a ways off from what the FTC recommends, there are
still plenty of things consumers and IoT manufactures can do to start
moving the needle in the right direction. If we get serious about security
now, we can prevent the scenario that occurred in the enterprise where time
and time again, productivity and convenience trumped security.

We can't undo mistakes already made in the enterprise, but we still have a
chance to get IoT security right.   If manufactures won't do it on their
own, then maybe they need to be legislated into it (an option the FTC
thought was ‘premature') or perhaps the private sector can mandate security
standards along the lines of what the credit card companies did with PCI.

However it unfolds, if we don't create the needed groundswell to implement
IoT security, then we are part of the problem. So with that in mind, here
are a few things that manufacturers can do to start to move the needle:

- Perform a thorough code review: If you are leveraging Open Source code
then you need to take responsibility for the security and integrity of that
code.  Even if manufacturers can't fix all the problems right away, they'll
know what they need to do.
- Hire a coder that understands security and can address security issues
through each phase of development.
- Hopefully the first thing that coder will do is to –SANITIZE ALL USER
INPUTTED STRINGS! And stop hardcoding 'hidden' administrative credentials,
which are sure to be found and exploited by hackers.
- Involve and educate consumers about security and build mechanisms into
the device that will help consumers make the right decisions regarding
privacy and security.
- Include instructions for secure usage – in layman's terms.
- Partner with a VPN server vendor that makes products for home use.

And consumers need to do their part as well.   Hackers count on consumers
to make their job easy for them by engaging in insecure online behavior.
Everyone always thinks, “Who would want to hack me?” but today, hacking is
more business than personal.  If a consumer chooses to use an IoT device
that collects information, they should quiz their vendor on their data
protection policies, pay close attention for firmware upgrades and
carefully inspect any email sent by the vendor with a link in it or asking
them to download something.

The good news is that IoT devices have a much more manageable attack
surface to contend with.  The combination of security by design and making
it easy for consumers to adopt more secure behavior can provide us to get
security right in the IoT era.  Let's not have 2015 be “The year the IoT
breach.”  We can prevent this from occurring if we act now.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!