At last week’s (ISC)2 EMEA Congress, two comments stood out on the securing of the ever emerging wearable and “Internet of Things” (IoT) market.
On an early panel, CERN’s Stefan Luders claimed that dealing with the IoT is about patching, rather than anti-virus and standard security controls, while he said that this was the biggest challenge he had seen for control systems. “We are much too rigid in patching and attack vectors are enabled by social engineering, and we are ok at dealing with ‘knowns’, but we are too rigid and cannot touch systems as it is too critical,” he said.
On the same panel was former Home Secretary David Blunkett MP; a man upon stepping down from politics at the next election, said he would take more of an interest in cyber security, said that to secure wearable technologies, you “need an eggshell” approach around the things, rather than a firewall, due to the inter-connectivity.
The next day I met with Geoff Webb, director of solution strategy at NetIQ, who told me that so many security tools can create a lot of problems, as it is hard to gather information and act upon it, as often identifying both people and “things” are tricky. “This is where identity and access management (IAM) is moving. It is not ‘get me access’, it is ‘get me better information on who or what was accessed’,” he said. “We are good at giving and taking away access, but in the middle no one is taking away so there is a huge blind spot.”
Moving on to IoT, Webb admitted that it had moved from something that was discussed and we had little understanding of, to being something we have to have a better understanding of. “It is about mass connectivity in people’s lives, and IoT will become necessary without needing it,” he said. “It will be revolutionised again and will not be visible to someone as we want machines to talk to each other and it will require an interesting management as companies do things with it.”
Without prompting visions of Skynet, Webb admitted that the vision of IoT is about invisible machine to machine communication, and having “things” add value to offer a competitive advantage. There will be connected kitchens to the car, and washing machines to the thermostat, but from a security standpoint, Webb said that the more technologies that are online, the more intelligence and impact upon our lives there will be.
In terms of what was said about the patch management model, Webb said that part of the value of IoT is in making the “things” minimally smart enough to do their job, without building massive computing if the function is basic, but put the minimum amount do the job. Yet the challenge is having put in 58,000 devices, do you go out and redeploy them, no, so you build in remote patching capabilities.
“Even then, if do remote patching capabilities, that adds in potential as then got system where someone can change the software sitting on the devices, if someone figures that out am I vulnerable? How do I manage that extra dimension of complexity?”
He said: “The extra dimension around the IoT is, are we comfortable building the devices are they thinking from today to prevent vulnerabilities and fix them? That is one of the big challenges to deal with fairly early on and a lot of companies do not have security DNA; they are thinking about functionality and ease of use.”
Webb said that for a business with a lot of devices out there, one security benefit can in spotting a sudden change in behaviour,
as that can be a flag as you know what it normally does, and you have a better chance of knowing what is does. “You still have the problem, but being able to identify it allows you fix it quicker as the sooner you can spot it, the sooner you can minimise the damage,” he said. “You can get more value as you can understand them better. How do we utilise the hard lessons we have learned over the last ten years and apply them to IoT.”
He concluded by predicting that we will see more reference to “IoT enabled” and it used as a selling point, and the attitude of “don’t care not interested” will move to “cannot live without” very quickly, as this is something that happens quietly in the background, and how we manage stuff will be one challenge, combined with user acceptance.
Geoff Webb, director of solution strategy at NetIQ, was talking to Dan Raywood
