Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Partner Perspectives  Connecting marketers to our tech communities.
SPONSORED BY
3/28/2018
09:00 AM
Simon Eappariello
Simon Eappariello
Partner Perspectives
50%
50%

Getting Ahead of Internet of Things Security in the Enterprise

In anticipation of an IoT-centric future, CISOs must be rigorous in shoring up defenses that provide real-time insights across all network access points.

One of the prevailing critiques of the Internet of Things (IoT) has been targeted at manufacturers who only consider cybersecurity an afterthought. As a result, the burden to protect these devices from massive botnet attacks and hacking attempts generally falls on information security teams and consumers themselves, who are rushing to purchase the latest gadgets – from kids’ toys to smart thermostats – at a faster pace than manufacturers can defend them. 

This is especially worrisome as specialized IoT devices are adopted in specific industries and sectors. Consider the potentially catastrophic consequences if IoT implants used in healthcare are compromised, or IoT tools tracking safety conditions in a factory are rendered nonfunctional by a DDoS attack.

In an attempt to turn the tide on rampant security flaws surrounding IoT in almost every context, the United Kingdom’s Department for Culture Media and Sport – in conjunction with the country’s National Cyber Security Centre – published the "Secure By Design" report, which outlines 13 directives that manufacturers should consider when designing connected products.

IoT Innovation Versus IoT Security
The goal of the guidance is to throttle – only slightly – the rapid pace of innovation with IoT to protect industries and consumers that are already highly vulnerable to cybersecurity threats. It’s an early-stage attempt to regulate the endpoint security on IoT products in the same way the FDA holds food producers to standards of health and safety stateside, barring unfit products from store shelves if they don’t pass muster. The problem here, however, is that all of the guidance is optional, and none of the standards outlined in the report can be enforced.

That said, despite the best early and admirable efforts of the UK government to beef up device-level security, network and information security teams are really going to have to lead the charge in keeping user data protected as the IoT continues to proliferate. In anticipation of an IoT-centric future, chief information security officers will need to make sure that their current network architecture and infrastructure is streamlined and functional to accommodate the larger cybersecurity burdens to come.

Take Stock of All “Periphery” Devices
For starters, it’s important for CISOs to understand the full scope of their organization’s connected footprint. It may sound easy enough, but there are many periphery technologies, multifunction printer/copier/fax machines, for instance, that are less scrutinized than the smart phones or laptops that get the most attention.

Tying up all the loose ends and ensuring that an older fax machine, for instance, enjoys the same protections and feature parity from the security tools servicing tablet computers is essential. This will make it easier to tailor protections for the lower-bandwidth, beacon-sensor communications that the network will need to support in tomorrow’s wider-scale IoT rollouts.

Assign Permissions to Employees and Assets
Network access control (NAC) schemes need to be drafted that anticipate an IoT-heavy future, but with an eye to the past. For instance, controls must be configured that make sure that unrecognized or unauthorized devices aren’t using access to an oft-forgotten printer/copier/fax as a pathway to more valuable network data. This requires teams to not only reference device and user registries – and to update them regularly – when mapping out NAC architectures, but to use security tools that provide real-time traffic insights across all network access points.

The biggest challenge to network security in any context is mapping just how large the scope of connected devices already in use really is. Not only are consumers bringing their own IoT gadgets into the office – Amazon Echos in the C-Suite, for instance, or smart picture frames – but the peripheral technology found in almost every office – security cameras, smart TVs in the lobby – are prime targets by hackers because they often get overlooked.

Until manufacturers can catch up with device-level defenses, IoT cybersecurity will continue to fall on the shoulders of network and security teams, both of which must be rigorous in scrutinizing all network defenses.

Simon Eappariello is the senior vice president of product and engineering, EMIA at iboss. He has a long history working in cybersecurity, networking, and information technology for global organizations in both the private and public sectors. Simon heads up iboss engineering ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Commentary
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
Edge-DRsplash-11-edge-ask-the-experts
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
News
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-24376
PUBLISHED: 2021-06-21
The Autoptimize WordPress plugin before 2.7.8 attempts to delete malicious files (such as .php) form the uploaded archive via the "Import Settings" feature, after its extraction. However, the extracted folders are not checked and it is possible to upload a zip which contained a directory w...
CVE-2021-24377
PUBLISHED: 2021-06-21
The Autoptimize WordPress plugin before 2.7.8 attempts to remove potential malicious files from the extracted archive uploaded via the 'Import Settings' feature, however this is not sufficient to protect against RCE as a race condition can be achieved in between the moment the file is extracted on t...
CVE-2021-24378
PUBLISHED: 2021-06-21
The Autoptimize WordPress plugin before 2.7.8 does not check for malicious files such as .html in the archive uploaded via the 'Import Settings' feature. As a result, it is possible for a high privilege user to upload a malicious file containing JavaScript code inside an archive which will execute w...
CVE-2021-24379
PUBLISHED: 2021-06-21
The Comments Like Dislike WordPress plugin before 1.1.4 allows users to like/dislike posted comments, however does not prevent them from replaying the AJAX request to add a like. This allows any user (even unauthenticated) to add unlimited like/dislike to any comment. The plugin appears to have some...
CVE-2021-24383
PUBLISHED: 2021-06-21
The WP Google Maps WordPress plugin before 8.1.12 did not sanitise, validate of escape the Map Name when output in the Map List of the admin dashboard, leading to an authenticated Stored Cross-Site Scripting issue