Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Network Security

Security of Internet of Things in Spotlight at RSA Conference

RSA Conference 2015 — The security challenges posed by the growth of the Internet of Things (IoT) are far from hypothetical – a point being hammered home here at the RSA Conference in San Francisco.

RSA Conference 2015 — The security challenges posed by the growth of the Internet of Things (IoT) are far from hypothetical – a point being hammered home here at the RSA Conference in San Francisco.

How to secure the ever-growing Internet of Things is the subject of multiple talks at the conference. Daniel Miessler, practice principal at Hewlett-Packard, is among those presenters. According to Miessler, the biggest problem is not a particular vulnerability. Instead, it’s that all the security problems of the last 20 years are being repeated and now combined in IoT, he said. 

“We’ve had network security, application security, mobile security, and cloud security leading up to IoT, and unfortunately we tend to start over when we move into new spaces,” he told SecurityWeek in an interview. “With IoT it’s much worse because IoT products have every one of these components, but they’re being assembled not by the experts but by those who are new to those areas. This presents the greatest amount of risk from IoT – it’s about IoT being far behind the collective security postures of the components that it’s comprised of.”

A new report released today from NSFOCUS linked IoT-devices to an increase in SSDP [Simple Service Discovery Protocol] reflection attacks during the second half of 2014. More than 30 percent of compromised SSDP attack devices were network-connected devices such as home routers and webcams, according to the firm.

“With the proliferation of the Internet of Things, any smart connected device with a public IP address and vulnerable operating system will increase the number of devices that could be used to launch SSDP–based reflection attacks,” according to the NSFOCUS report. “This particular type of DDoS attack was seen as the second most dominant threat, after NTP-based attacks, in 2H2014.”

Smart devices, the report notes, often have long update cycles and a relatively high bandwidth.

“If smart devices have weak passwords or other vulnerabilities, attackers are able to exploit them to launch DDoS attacks, essentially making them DDoS attack sources,” the report adds. “According to our recent monitoring of worldwide smart devices, it is discovered that approximately 7 million such smart devices could be exploited to launch DDoS attacks.”

It is important for businesses to understand the technologies they deploy, including what types of interactions are possible with the technology and from where, said Miessler. Segmentation and monitoring are also essential, he added.

Advertisement. Scroll to continue reading.

The Cloud Security Alliance (CSA) released a report this week entitled ‘New Security Guidance for Early Adopters of the IoT‘ that is aimed at helping early adopters understand the security challenges they face and recommending controls they can use.

“Traditional security mechanisms such as secure software development and security controls engineering, common vulnerability and exploit (CVE) discovery and reporting, vulnerability management, and field upgrade and patching do not exist or are immature in most of the industries taking advantage of IoT platforms,” said Luciano Santos, vice president of research and member services for the CSA, in a statement. “Research is needed to allow organizations to design a trusted IoT ecosystem in their enterprise that securely utilizes the cloud for control and data connectivity. In the absence of this research, organizations will be forced to make substantial architectural decisions without sufficient data to understand the risks and identify appropriate mitigations.”

During his presentation on IoT security at the conference, Billy Rios, founder of security company Laconicly, explained that non-traditional connected devices are already pervasive throughout the enterprise.

“If you are a Fortune 1000, you have a ton of building automation systems in your organization,” Rios said. “It’s not a question of when…you already have the stuff in there. If you are on a corporate campus, you already have tons of building automation in your environment.”

Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Cyberwarfare

Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Network Security

A zero-day vulnerability named HTTP/2 Rapid Reset has been exploited to launch some of the largest DDoS attacks in history.