CyberFest Conference Looks at Road Ahead for IoT Security

By Chris Preimesberger  |  Posted 2014-10-03 Print this article Print

In the IoT future, every sensor, every videocam, every connected soap dish will have an IoT name, and it might not be a number.

One of the misconceptions a lot of enterprises have is that innovation inside an enterprise can often be dangerous for security reasons, that innovations should stay behind walled systems and that security professionals only should be charged with handling the security of systems. This clashes with the common conception that "innovation happens elsewhere," and that enterprises and service providers need to be constantly aware of new ideas coming to the fore in the open-source community, for one example.

"It's been said that as innovation comes across a number of different industries, security professionals need to step in front of it and quash it. That's hopeless. Innovation is going to happen. It's just too compelling, too alluring to people," Quinn of Palo Alto Networks said. "In reality, what the industry and the providers need to do is not going to keep up with innovation and the technology. It's always a catch-up game."

Major Data Breaches Will Continue to Bring Attention

We are going to continue to see events that will bring widespread attention to this, Quinn said.

"I would hope these events involve only a connected soap dish. But often it's the very organized, sophisticated, well-funded nation-state groups who are after the infrastructure and disrupting the economy of the United States," Quinn said. "That's what keeps me up at night.

"They are very innovative in what they are doing. They don't just target specific things, but they target something laterally. We call it a kill chain; attackers do recon [reconnaissance] to find something that is weak, weaponize or install something there, become invisible there, and then start to move laterally to other places on the network. In this paradigm, the network is the cloud. Ultimately, they get to where they want; they get into the data center, they get credit cards or whatever," Quinn said.

Achilles' Heel for Enterprises: Red Security Tape

An Achilles' heel that security companies and IT administrators have that attackers do not is that attackers are not subject to the rules, regulations and paperwork that slow down security professionals in getting updates to systems in place, Orange of Websense said.

"Also, in running a global information security program, the other component is 'context-aware.' We're so focused on the user-centric context that we are forgetting about applications that can invoke other things," Orange said. "Or systems that invoke applications that invoke other modules that will allow us to become vulnerable. And we don't see it at this particular point in time.

"A lot of our systems are geared toward this anomaly, this 20 percent noise factor that goes up, and then you pay attention. With the onslaught of the Internet of things, we're going to get increased data, no increased resources, no increased budget, but we still are going to have to answer that question, 'Are we secure?'" Orange said.

Virtue of Qualcomm pointed out that in a machine or human invoking any service on the Internet, or for a machine to invoke another type of connection with a human or other machine, "the system isn't just one provider. It's going to be 10, 12, however many different pieces in a chain that forms whatever service I'm consuming."

Back-End APIs Need Strengthening

"Those all need to interact with some kind of trust model, otherwise there are points of exposure." Virtue said. "There are protocols that exist for back-end APIs [application programming interfaces]. That stuff still needs some work; we need to build standards and protocols around how to share that [data] in a secure and trustworthy manner. This is going to be crucial to fostering innovation, so people can build things, trust it, and they won't have to all go off and build it themselves.

"Some people will get it right; a lot of them will probably get it wrong—like generating your own cryptographic algorithms. If you're doing that, you're probably doing something wrong. You need to use something that's tried and true, otherwise there's too much risk."

eWEEK will revisit the content from this panel discussion and follow up with subsequent articles.


Chris Preimesberger

Chris Preimesberger is Editor of Features and Analysis at eWEEK. Twitter: @editingwhiz


Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel