For as long as there have been robots, there have been people writing about the robots that are out to kill humans. Isaac Asimov spent a lifetime exploring how the Three Laws of Robotics, a fictional set of principles designed to protect humans from robotic harm, could raise morale dilemmas in otherwise non-sentient beings. Michael Crichton became a bestselling author crafting tales about the consequences of technology, from air travel and time travel, to theme parks filled with resurrected dinosaurs.
These types of stories may be science fiction, but they fuel the imagination of the general public who was already scared of technologies that they may not understand. Carl Sagan noted in the book “The Demon Haunted World” that the supernatural tends to be very good at using the latest technology. Not long after the dawn of space exploration, the number of reported UFO sightings and abductions skyrocketed. Ghosts that used to haunt the living with “bumps in the night” started using televisions and telephones when the technology became available.
The Internet of Things is real, and as a near-future technological shift, it is also generating a great deal of fear. The network is becoming the common ground for device communications with humans and cloud services, as well as other devices. The question about whether the device manufacturers are up to the task of doing these activities securely, however, remains up in the air, with a number of notable failures becoming fodder for speculation on what’s going to happen next.
I see a problem emerging, because the tales of hacker-controlled refrigerators and baby monitor surveillance serve as a distraction from applying the correct principles for protecting any device on a network. Yes, there are good reasons to be concerned on whether a given device has adequate security. The device should be providing good security to withstand an attack. But I also believe that it’s a bad idea to expect that it will. We should never presume that any device connected on the network (whether it’s a laptop, mobile phone or a pacemaker) is safe in the first place. The device’s inherent ability to withstand an attack should be the last (and not the only) line of defense.
Let’s put the issue of the Internet of Things aside for a moment. Exploits can be used to establish a toehold on a target by making it behave in unexpected ways by feeding it bad input. In fact, in the Verizon 2015 Data Breach Investigation Report, it noted that hackers are often tremendously successful recycling old attacks against unpatched systems.
“We found that 99.9% of the exploited vulnerabilities had been compromised more than a year after the associated CVE was published.”
Typically, product vendors respond by providing a patch to close such vulnerabilities and render the exploit useless. Yet despite best intents, organizations are seldom able to patch every device in a reasonable period of time. In some cases, the device may be unpatchable (because of a vulnerability in firmware, for example) or it may be irreplaceable (such as expensive or custom equipment with long production life expectancies). In other cases, it’s a matter of rogue devices that weren’t ever managed in the first place. The organization should take steps to secure the device in a timely manner, but they also need to take measures to prevent a threat from reaching the device in the first place
A prevention-first mindset starts with several basic principles towards the reduction of risk:
- Use network segmentation to prevent unnecessary levels of exposure to critical systems by isolating access based business need. For example, isolate network-connected medical equipment from end-user workstation traffic.
- Reduce the attack surface by safely enabling or eliminating unnecessary applications that have no business purpose. For example, a printer should only be administratively accessed by users with an administrative group, and it should only accept print jobs from domain users. Any other type of access, such as a shell to the Internet, is simply not necessary.
- Adopt a zero trust attitude by never inherently trusting anything.
- Identify and manage unknowns, including unknown traffic and unknown files.
- Apply threat intelligence to stop threats (including exploits and malware) from reaching any device on the network.
Organizations should take steps to use safe devices, but they should never count on every device being safe. In order to reach the device, the hacker needs to traverse the network. Security teams benefit from the defender’s advantage point, for they control the network that the devices operate on. By adopting good security principles that prevent attacks and minimize exposure to risk, organizations can stay a step ahead of the challenges introduced by the Internet of Things.