RSA Conference 2015 — The security challenges posed by the growth of the Internet of Things (IoT) are far from hypothetical – a point being hammered home here at the RSA Conference in San Francisco.
How to secure the ever-growing Internet of Things is the subject of multiple talks at the conference. Daniel Miessler, practice principal at Hewlett-Packard, is among those presenters. According to Miessler, the biggest problem is not a particular vulnerability. Instead, it’s that all the security problems of the last 20 years are being repeated and now combined in IoT, he said.
“We’ve had network security, application security, mobile security, and cloud security leading up to IoT, and unfortunately we tend to start over when we move into new spaces,” he told SecurityWeek in an interview. “With IoT it’s much worse because IoT products have every one of these components, but they’re being assembled not by the experts but by those who are new to those areas. This presents the greatest amount of risk from IoT – it’s about IoT being far behind the collective security postures of the components that it’s comprised of.”
A new report released today from NSFOCUS linked IoT-devices to an increase in SSDP [Simple Service Discovery Protocol] reflection attacks during the second half of 2014. More than 30 percent of compromised SSDP attack devices were network-connected devices such as home routers and webcams, according to the firm.
“With the proliferation of the Internet of Things, any smart connected device with a public IP address and vulnerable operating system will increase the number of devices that could be used to launch SSDP–based reflection attacks,” according to the NSFOCUS report. “This particular type of DDoS attack was seen as the second most dominant threat, after NTP-based attacks, in 2H2014.”
Smart devices, the report notes, often have long update cycles and a relatively high bandwidth.
“If smart devices have weak passwords or other vulnerabilities, attackers are able to exploit them to launch DDoS attacks, essentially making them DDoS attack sources,” the report adds. “According to our recent monitoring of worldwide smart devices, it is discovered that approximately 7 million such smart devices could be exploited to launch DDoS attacks.”
It is important for businesses to understand the technologies they deploy, including what types of interactions are possible with the technology and from where, said Miessler. Segmentation and monitoring are also essential, he added.
The Cloud Security Alliance (CSA) released a report this week entitled ‘New Security Guidance for Early Adopters of the IoT‘ that is aimed at helping early adopters understand the security challenges they face and recommending controls they can use.
“Traditional security mechanisms such as secure software development and security controls engineering, common vulnerability and exploit (CVE) discovery and reporting, vulnerability management, and field upgrade and patching do not exist or are immature in most of the industries taking advantage of IoT platforms,” said Luciano Santos, vice president of research and member services for the CSA, in a statement. “Research is needed to allow organizations to design a trusted IoT ecosystem in their enterprise that securely utilizes the cloud for control and data connectivity. In the absence of this research, organizations will be forced to make substantial architectural decisions without sufficient data to understand the risks and identify appropriate mitigations.”
During his presentation on IoT security at the conference, Billy Rios, founder of security company Laconicly, explained that non-traditional connected devices are already pervasive throughout the enterprise.
“If you are a Fortune 1000, you have a ton of building automation systems in your organization,” Rios said. “It’s not a question of when…you already have the stuff in there. If you are on a corporate campus, you already have tons of building automation in your environment.”