Securing the Internet of Things
by Brandi Scardilli
Think of any everyday object in your home or business, and chances are it will have computing power within the next few years. Cisco, an enterprise solu tions provider, predicts that there will be 50 billion connected devices in the world by 2020, including watches and refrigerators. “When you think about the internet over the last 25 years, the main focus has been about people-to-people communication and people’s interactions with data. But over the last couple of years, we recently started to see devices or things getting connected and talking to each other. And in the process, we are seeing the number of devices connected skyrocketing,” says Maciej Kranz, VP and general manager of Cisco’s corporate technology group.
This shift is known as the Internet of Things (IoT), the idea that “there’s no reason that almost every object in your life couldn’t have a digital identity and the ability to interact with other objects,” according to Sam Curry, chief strategy officer and chief technologist at RSA, the security division of cloud computing, Big Data, and IT solutions company EMC. Computers are now “more prevalent, more common, more distributed, and more powerful. So if you continue that trend, you start to see mundane, everyday objects become computing objects. You could think of it as more sophistication and intelligence being baked into everything.”
Ten Tips for Internet of Things Security in Homes and Businesses
1. Use strong passwords, and update anti-virus programs regularly.
2. Do a device audit to see how many of the devices you own are vulnerable to attacks. (Even if a device doesn’t have a screen or a keyboard, it could still be connected to the internet.)
3. Make sure the firewall or other protection that comes with your router/modem is enabled and configured properly.
4. When you make device purchases, disable any remote accessibility features and change the default password right away.
5. Visit the manufacturer’s website after making a purchase to download any software updates that are available.
6. Think like a hacker: Do a threat analysis of where potential threats could come from.
7. Before giving out personal information online, find out how the recipient plans to use it and protect it. (Don’t assume it won’t be shared.)
8. Only give out the minimum amount of information being asked for on online forms, whether on social media or ecommerce sites.
9. If you are a security vendor, don’t make your products difficult to use. Build them to complement the ways that people behave.
10. Practice good security hygiene and processes. No product will make a person or company secure. (“I have seen the best products in the world deployed poorly, and that ruins them, but I’ve also seen fairly poor products deployed well, and they get good security,” says Sam Curry, RSA’s chief strategy officer and chief technologist.)
“Unfortunately, every new technological development usually comes with a new set of security threats,” says Dick O’Brien, senior information developer at Symantec, a business security and management company (symantec.com/connect/blogs/ internet-things-new-threats-emerge-connected-world). “Most consumers are now very aware that their computer could be targeted with malware. There is also growing awareness that the new generation of smartphones are also vulnerable to attack. However, few people are aware of the threat to other devices.”
For example, Kranz predicts that every new car will be part of the IoT by 2017. “How do you prevent the hackers from hacking into your car, and suddenly taking over your car, and speeding it up to 120 miles per hour? How do you prevent a hacker from planting a malware in your car, and the malware will start stealing your personal information? … So in this case, there are very new approaches to security that are required.”
When interconnected devices talk to each other, “they’re moving information about you around,” says Kevin Bailey, head of market strat egy at Clearswift, which helps or ganizations with information management and critical information protection. He believes that one of the base requirements for securing the IoT will be protecting intellectual property and personal information.
“[W]e’ve gone from a world where a few million people had one system each, trying to access a simple set of services, to one where there are going to be dozens of devices, and around every person, and billions of people, all trying to connect in ways that aren’t predictable ahead of time,” says Curry.
Some companies are already working to meet the challenges of IoT security. Clearswift tracks the actions of hackers who are either attempting to extract company information from a secure system or introduce malware into a system. When an organization’s usage rights policies are breached, Clearswift removes the offending text. “If some body wants to send in some malicious code to affect the system, we would identify that and remove those pieces of content, put the document back together again, and then continue it through” to the recipient, says Bailey.
RSA has four main functions as the security division of EMC. First, it helps businesses set up security command centers. “[I]t’s about being a step ahead of the bad guys. We help companies in particular find bad guys in their networks and root them out,” says Curry. Second, it provides authentication solutions to protect against identity theft. Third, it helps banks prevent fraud. “So if you log in to a bank account, chances are we’re on the back end,” he says. Fourth, it offers a GRC (governance, risk, and compliance) program that coordinates the people, processes, and technology in a company to minimize risk. “And we’re evolving each of those four product sets to deal with a world that’s much more intelligent and connected.”
Cisco has spent the last 3 years investing in the IoT market, including developing sales capability, solution development capabilities, and partnering capabilities, says Kranz. The company offers more than 700 IoT-related products, such as cloud and systems management and data center management and automation.
The IoT fosters a rich environment for creativity, says Curry. “A lot of the creative folks out there can now bring high-tech and strong security to things they make. … I think one thing we’ve learned in the last decade is that new players can emerge very quickly and that the people can make totally unexpected choices, and really exciting ones.”
Cisco is looking for those potential new players by sponsoring a contest, the Cisco Security Grand Challenge (www.ninesights.com/community/cisco). This worldwide initiative aims to bring the security industry together to address IoT security. Kranz says the challenge centers on four topics: malware protection, proper identifi cation of credentials, verification of data, and privacy protection.
The submission deadline is June 17, 2014, and Cisco will announce the winners at the Internet of Things World Forum this October. A maximum of six winners, judged by Cisco’s panel of experts, will receive awards from $50,000 to $75,000.
Cisco is looking for visionaries, innovators, and implementers from ac ademia, startups, and large companies, says Kranz. Submissions must be feasible, scalable, easy to use, and broadly applicable to the IoT; plus they must include a proof of concept.
Kranz says the good news about this challenge is that the company retains all the intellectual property in its submission. “They are the own ers of the invention,” he says. “We don’t want to compromise that. What we want to do is make sure that we expose the best innovations and to help the industry adopt them.”
One company acting alone can’t solve all of the problems surrounding IoT security, which was a major impetus for Cisco to offer the challenge, says Kranz. “We need to be working together as an industry. And we need to be solving these big challenges as an industry as well.”