Minerva Studio - Fotolia
Published: 03 Oct 2016
When he wanted to explore the security implications of the identity of things, Golan Ben-Oni, the CIO of telecommunications firm IDT Corp., hired a red team to conduct an experiment.
To get a handle on the practical security implications of everyday connected devices, Ben-Oni tasked the Israeli security consultancy with using only nontraditional networked devices to compromise a computer behind a firewall. Exploiting known vulnerabilities, the group co-opted a wireless keyboard used by a fictional employee to inject commands into the targeted system, taking control of the computer and establishing a beachhead for further compromises.
The demonstration was eye-opening, according to Ben-Oni, and underscored that companies need to know about the existence of not just enterprise computer systems and mobile devices, but other connected devices as well.
"The proof-of-concept was not hard to do -- it took a matter of weeks to develop," he said. "The threat is real, and as usual, the vendors that are providing their devices really haven't thought too much about security. And if they have, they have not enforced it enough."
The results of the red team exercise should not be surprising. Internet of things security firm Bastille publicized critical vulnerabilities in popular wireless mice and keyboards. The flaws -- dubbed MouseJack and KeySniffer -- allow attackers to monitor commands and text sent from a vulnerable keyboard or, in the worst case, allow an attacker to take over the computer from up to 100 meters away.
With more employees bringing their own devices and network-connected objects -- such as keycard controls and energy monitoring systems -- the digital footprint of the internet of things is only increasing. As many as 21 billion devices are expected to be connected to the internet within four years, up from 6.4 billion in 2016, according to Gartner. With devices seeping into everyday work life, the danger to businesses has increased, and companies should worry about who is bringing what into the workplace and which corporate devices pose risks.
Yet the security industry is still developing an identity of things strategy. In April 2015, the Cloud Security Alliance came out with its initial guidance -- labeling the document only for early adopters. Without firm standards guiding device makers, businesses are left with figuring out how to discover and manage devices that could introduce security weaknesses.
One approach: Because network and data access are increasingly linked to identity, using identity and access management, or an IAM system, seems natural. Still, devices pose their own complexities. Some devices, such as mobile phones, can be linked to a user's identity; others, such as radio frequency identification (RFID) tags on cargo containers, should be associated with physical objects; and still others, such as an MRI machine or a centrifuge, need to be treated as a critical asset.
"It really is scenario-driven," said Earl Perkins, research vice president in the internet of things group at Gartner. "So many of our conversations start with 'It depends.'"
Recognizing the identity of things problem
While RFID tags, fitness wearables and smart clothing have the potential to pose a risk, they are lower on the threat spectrum. For most companies, the problem mainly boils down to identifying devices that have the capability of connecting to the network or to another device, according to Perkins.
Two broad classes of devices pose a threat. "There is a big fat arrow pointing at industrial devices and a thin arrow pointing to consumer devices," he said. "When we look at the consumer side of business, let's put that in the right context -- privacy is the major issue. Industrial devices are more serious."
Earl Perkinsresearch vice president, internet of things group, Gartner
For that reason, some lessons regarding the best ways to securely incorporate devices into the network come from industries that have faced criticism for their lack of security: utilities, power companies and other critical infrastructure firms. Those businesses have adopted network-connected controllers and monitors as a way to better manage their operational networks. They have experience in dealing with the impact of nontraditional connected devices, noted Perkins. Manufacturing, utilities and power, and -- to some extent -- healthcare companies have increasingly connected critical devices and have had to deal with higher stakes than most companies.
"Most of the engineers today who have worked in industrial environments are laughing because they recognize that this is what they have been dealing with for a quarter century," he said.
'Hitting a wall'
Information security managers looking to manage the identity of things in their network should focus on identifying devices. It's a natural leap, according to Geoff Webb.
"A lot of the device monitoring is perceived as an identity-management problem: How do I attach an identity to these devices, and how do I manage the lifecycle of their identity," said Webb, vice president of solution strategy for enterprise software provider Micro Focus. "And what happens is the traditional approach of identity management hits a wall -- managing all those similar devices is different and at much greater scale than managing a few thousand employees."
The scale associated with the identity of things is not the only problem. Many devices -- such as tags in smart clothing and some wireless identifiers -- are so small that they do not have enough resources to store a unique certificate or processing power to handle a cryptographic exchange.
There is no way to make devices unique, robbing them of the traditional concept of identity, according to Cesare Garlati, chief security strategist for the PRPL Foundation, an open source group that released a hypervisor for internet of things devices in July. Many of them are so inexpensive, he added, that they are uncountable.
Instead, technologists are focusing on ways to derive unique identifiers from the physical aspects of very small devices.
"There are ways to extract unique identifiers out of every little piece of silicon," Garlati said. "It turns upside-down the whole model of authentication and identity. You don't need to put secrets in place if the secret comes out of the device itself and is reliable."
Dealing with the matter of scale
The internet of things also means more devices producing more data. Companies focused on gaining situational awareness through collecting data and processing it will have to deal with orders of magnitude. A multinational with 25,000 employees, each with five devices, has a major problem with the scale of data that needs to be analyzed, IDT's Ben-Oni said. "You cannot have just a human dealing with that level of data."
Cesare Garlatichief security strategist, the PRPL Foundation
For Ben-Oni, automation is a large part of the solution. IDT started out with more than 90 different products related to security that tried to track information produced by systems, appliances and devices. The company has dramatically reduced that, cutting the number by more than two-thirds. Ben-Oni hopes to focus on a dozen core products that can track devices and look for malicious attacks.
The scale problem also extends to the other end of the management process. Traditionally, computers, mobile devices and users are provisioned by businesses, granting employees a certain level of access with a specific device. With the scale of the internet of things, however, such a process will become onerous. Rather than enrollment -- an expensive process that requires human input -- companies should focus on identifying the devices, emphasized Jim Reavis, CEO of the Cloud Security Alliance.
"We need to defend without really touching the devices so much," Reavis said. "A human being installing and managing these things will not work. It will have to become much more automated."
Managing access or relationships
To deal with the influx of devices, companies need to perform three major steps to bring devices under the management of their IAM systems: discovery, asset identification and provisioning.
IAM systems typically focus on creating well-defined rules, giving a user a certain level of access based on the device from which they are connecting to the network. Identity relationship management is more adaptable, allowing machines and devices to have their own identity, while at the same time making provisioning flexible. Companies should shift their efforts from managing identities and access rights to focusing on relationships, according to the Cloud Security Alliance's guidance on IAM systems and the internet of things.
"You have to be able to deal with devices that have a role but are not necessarily associated with a user," Reavis said. "And that's our goal: having one coherent identity system that can accommodate real human beings that are acting through devices, while handling other devices as their own entity."
In the end, companies -- both manufacturers and their customers -- need to solve the internet of things security problem because connected devices will increasingly be able to interact with physical systems. And with cyber-physical devices, the stakes are high.
"When you talk about data, the worst that can happen is you can lose your data," PRPL's Garlati said. "When you talk about all these other connected systems, you are talking about more than that -- you are talking about people dying."
Find out more about IoT data security
Can IPv6 address a huge population of devices?
Q&A: Compliance strategies to protect IoT data
- Aligning Enterprise Identity and Access Management with CIO Priorities –SearchSecurity.com
- IAM: Key to security and business success in the digital era –ComputerWeekly.com