Internet of Things cannot remain a security blind spot
The network is more exposed than ever before with the expanded attack surface IoT brings, leading to increasing support for securing interconnected devices. As the Industrialization of Hacking evolves, so does the number of vulnerable end points on the network including physical systems, mobile devices and wearable technologies.
The biggest challenge is a lack of visibility. The key to seeing an attacker’s every move, from control networks to the data center to the cloud, is contextual visibility by monitoring events and actions across the entire threat landscape before, during and after an attack. Only then will IT be able to continuously detect threats and address them in real time, decreasing the risk that the malicious activity will go undetected.
Often the questions I field about cybersecurity are focused on how to defend the organization from the next uber attack. The reality is that most of the big breaches we read about in the news can be easily addressed with best security practices. . There is no reason for the bad guys to develop the next Stuxnet when using default credentials like "admin/admin" work just fine to gain access to a network device. Just review the OWASP Top Ten and note how long many of the most common vulnerabilities have been on that list -- some for more than a decade. It’s no surprise, then, that we see the volume and depth of the breaches that we do in the news.
Fixing the easy stuff is boring, to be frank, which is why I believe a lot of organizations have those holes. To be fair, many cybersecurity staff are over-worked, under-staffed, and under-funded. The threat landscape is constantly evolving making it almost impossible for organizations to stay ahead of the bad guys.
While it is a complicated topic, the current state of affairs do not need to be as broken as they are. To move forward, it will take a change of mind. Specifically, we have to accept that the bad guys will get in, so it’s vital that our defensive posture isn’t just focused on layers of technology (defense-in-depth), but that we also prepare our defenses along a continuous timeline -- an attack continuum -- in order to maintain informational superiority to protect vital assets, and to translate lessons learned into an improved defense before the next attack, which will come.
Getting back to basics is key, and it starts with visibility. You cannot protect what you cannot see. In other words, it’s impossible to build an effective defense if you don’t know what you’re protecting. The sheer scale that IoT is introducing makes it critical for organizations to understand how large their attack surface is, while also considering potential attack vectors and always remembering that threats are not just external. A simple network misconfiguration can leak data just as effectively as the most sophisticated malware.
It is also important to remember that this will be an iterative process in achieving continuous security, not a point-in-time exercise.
Not all assets are created equal, nor is every attack, so context is the next key component. I have yet to speak with an organization that is overflowing with resources, time or budget. It’s not about being alerted to every suspicious, or even malicious, event, but being alerted to those events that most directly impact your organization and its ability to deliver on its core business or mission. For example, imagine that your organization uses Apache Web servers, and an attack directed at a Microsoft Web server misconfiguration is launched against you. While it is important to know what bad guys are targeting and the methods they use, this scenario may not require an immediate response, and your cybersecurity team is free to address more pressing issues.
You have to know what devices, systems and applications are vital to the operations and success of your business, but that is easier said than done for many organizations. What I’ve found that best fills in the blanks is to refer to the business continuity plan (BCP), assuming your organization has a disaster recovery program. Whether you have a BCP in place or not, it’s always a good idea to speak with different stakeholders in your organization to understand what they find vital.
So far, we have been discussing the "network" in monolithic terms, but when it comes to responding to a bad actor during an attack, our response will depend on whether we are discussing a corporate network or an industrial control network. What they both have common is maintaining informational superiority over the bad guys.
This is when all of the work developing the picture of the assets on the network and their value to the business pays dividends. Knowing where the bad guys are on the network, what systems are affected, and what systems are safe, helps guide incident response and protect vital assets to allow the business’ core functions to operate with minimal impact while the threat is contained and remediated.
There is always room to learn, and the best defense is an adaptable defense. Once the dust settles, it is important to debrief so that you can review the efficacy of the incident response processes. While we all know this is a best practice, how often does it really happen? Not often in my experience, so this is where systems that are capable of machine learning and automatic updates help keep defenses up to date.
Depending on technology alone to address cybersecurity in the IoT is guaranteed to leave us vulnerable. The latest whiz-bang technology is ineffective if not applied properly and in the proper context. It all starts with the humans who have visibility into their networks, and understand the context in which these devices and systems support the organization’s core functions. Visibility and context coupled with the right technology is what will help defend IoT before, during and after an attack.
Photo Credit: Tashatuvango/Shutterstock
Marc Blackmer is Product Marketing Manager, Cisco Security Business Group