FBI CISO warns of IoT data breaches

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://searchsecurity.techtarget.com/news/4500254067/FBI-CISO-warns-of-IoT-data-breaches

The FBI's chief information security officer warned the impact of IoT data
breaches could be much worse for end users than previous enterprise data
breaches.

During her keynote address at the 2015 IoT Security Conference in Boston
Tuesday, FBI CISO Arlette Hart discussed how the growth rate of the
Internet of Things (IoT) is outpacing IoT security efforts and implored
enterprises to take action before disaster strikes.  With technology, "Cool
trumps safe," she said. "The capabilities themselves are almost always
developed without security in mind. We need to change that [for IoT]."

IoT introduces an overwhelming amount of new devices, data, network
traffic, and protocols that has already had a profound impact on IT and
cybersecurity strategies. IoT data, she said, will change how breaches
affect end users. With recent retail data breaches, Hart said the impact
has been "relatively light" on end users.

But in the case of an IoT data breach, Hart said, the impact will have
serious effects on end users because their sensitive data is interconnected
with personal devices like their door locks, cars, baby monitors,
thermostats, lights, security cameras, and other household appliances. That
information, in the hands of a cyber criminal, can be devastating and
result in a serious breach of privacy.

"Last year I got a new credit card. I got credit monitoring too. What else
did I feel from all of these breaches?" Hart said. "But when we move into
IoT, I think the world is going to change a little bit. I think it's going
to change to the point where, when compromises happen, people are going to
feel it."

As IoT data is created, transmitted, and stored, it represents a new
opportunity for threat actors to steal sensitive information, Hart said. It
also poses significant threats to the enterprise and the end user because
cybercriminals can cause physical havoc by tampering with devices.

Hart notes that it's not just outsiders that enterprises need to be wary
of. "Malicious insiders are an internal threat to your infrastructure. The
inadvertent insider is one of the biggest causes of compromise. You trust
our employees, really? You have forty thousand employees and not one of
them is bad?"

New technologies mean new security challenges, Hart said. Many IoT devices
have serious vulnerabilities and no dedicated security protection and if
they haven't been hacked, they will be. However, the IoT security landscape
is rocky because IoT is a new and developing technology and there is a
general lack of standards in the space, and, she said.

On the bright side, however, Hart said technology companies understand that
IoT security needs to be addressed, and many companies and organizations
are already working on developing industry standards and regulations.

"This is only going to happen through self-regulation because, frankly, you
are all moving way too fast for the government to be able to catch up with
you," she said. "Self-regulation is critical to this [IoT security] effort."

On the other hand, Hart said, threat actors know that the growing number of
connected devices hold valuable data and will likely step up their attacks
on IoT targets.

"The threat vectors are increasing and they're pervasive and they're going
to keep on coming and they're going to accelerate because this is such a
rich field," Hart said. "IoT compounds the security challenges that we
already have."

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!