The Internet of Things includes a vast and ever-growing array of networked devices—including smart meters used by utilities, medical devices for monitoring patients’ conditions and delivering care, as well as to sensors that do everything from supporting public safety to automating manufacturing processes. When it comes to security and the IoT, Radware sees a two-part dilemma.
The first part: mitigating the risk of vulnerabilities created or compounded by networked devices. Organizations must consider the possibility of a huge increase in unknown vulnerabilities at the device level, as most lack antivirus or advanced endpoint and threat detection capabilities. While sensors and other IoT devices can fuel exponential improvements in speed, accuracy and efficiency of information collection, they also can make a business vulnerable to intrusions and attacks. Even a company’s network carrier can be affected if attackers use IoT devices to generate massive spikes in network traffic.
The other side of the IoT security dilemma is being protected from devices—that is, addressing the risk of the “things” themselves becoming vehicles for an attack. For example, in the past utility customers may have worried that a meter reader would forget to close a back gate, leaving the house unsecured. These days, they want assurance that they’re not letting a nefarious robot into their homes—putting data privacy and personal safety in jeopardy. On a broader scale, hackers could potentially take control of thousands of smart meters, wreaking havoc on the electrical grid.
Healthcare is another area where vulnerabilities could be devastating. Imagine a patient receiving an email that threatens to alter his or her pacemaker’s performance unless a ransom payment is made. It may sound far-fetched, but healthcare has become a frequent target. Already, numerous attacks have blocked hospitals’ and other providers’ access to their own data. Networked medical devices provide another potential avenue for such schemes.
Mitigating the threat of ‘things’.
Regardless of an organization’s interests around the IoT, the time has arrived to start taking proactive steps to ensure security. In the end, the full vision of the IoT may or may not come to pass, or it may take longer than some predict. What is undeniable is that connectivity is exploding. While most people may be unaware of how the IoT functions, they will expect it to be secure. Similarly, they will be largely clueless to the potential impact they (and their new gadgets) have on the threat landscape, and thus cannot be relied upon to maintain security capabilities on these devices.
Leading Through Uncertainty
Best practices for security operations will always vary with business and technical dynamics. Even so, some common practices are becoming increasingly important in the face of the evolving threat landscape.
In analyzing the findings of the Executive Survey conducted by Radware in partnership with Merrill Research, the company identified insights into how well some are doing—and areas where executives may have opportunities to understand and close security gaps.
Practice #1: Perform greater screening on inbound and outbound data
In the open-ended responses, one executive mentioned future plans to increase screening on the traffic entering and leaving the organization’s network. Such screening represents a significant gap for many organizations—and it’s becoming increasingly important to address it. Radware has witnessed an increase in SSL/encryption, making inbound attacks more challenging to detect. Meanwhile, outbound traffic, especially when it’s encrypted, is often not inspected.
Recommendation: Ensure that network/perimeter protections can inspect encrypted traffic without scale issues. Implement outbound traffic inspection capabilities.
Practice #2: When it comes to security, know what you’re spending and why
Radware’s study revealed an interesting paradox : A majority of respondents (82%) indicated that Cybersecurity is a CEO- or board-level issue. Yet in both the U.S. and the U.K., more than half of executives did not know how much money or time their company has spent on security—from fighting cyber-attacks to implementing safeguards against hackers. Cyber security is simply too important, and poses too much risk, for that lack of executive awareness.
Recommendation: An organization’s board and C-suite should assign ownership to ensure transparency on current threats, protection strategy and where/how resources are being used.
Practice #3: When facing a ransom demand, tread carefully
With ransom attacks on the rise, the survey uncovered another paradox. Eighty-four percent said if they were approached by cyber thieves, they wouldn’t pay the ransom. Yet among those who were actually attacked, 54% said they did pay. Giving in to cyber thieves can be risky, as paying ransom may not stop the attack and, in fact, might increase the odds of additional incidents.
Recommendation: Flip the economic equation—investing resources into network, endpoint and application security rather than “donating” money to criminals.
Practice #4: Consider using hackers to test your security
The Executive Survey shows increased willingness to use hackers, and with good reason. Hackers brings unique experience and insight as companies work to keep pace with changes to threat landscape and with the latest tactics, techniques and procedures.
Recommendation: At a minimum, conduct penetration testing and explore opportunities to engage white hat hackers to make the testing more realistic—and effective.
Practice #5: Automate security
As the threat landscape becomes increasingly automated, protections need to be, too. Interestingly, in the Executive Survey, 40% say they have had automation in place for two or more years. That finding contradicts input from the Security Industry Survey, in which respondents told us their organization’s security is 80% manual. What this suggests is that executives may underestimate the extent to which certain security protections are still manual. That may include manual signature development for new attacks, as well as policy generation and vulnerability scanning/patching on applications.
Recommendation: True automation comes from enabling technology to initiate protections—not feeding data into a Security Information & Event Management (SIEM) system so that a human can make a decision. Explore multi-vector coverage through coordination of security components.