Developing robust cybersecurity policies and practices are critical requirements for today’s connected enterprise, and according to one information security executive, these tasks are made more complex if that enterprise possesses an IoT ecosystem.
AT&T’s security director for the APAC region Don Liew told IoT Hub that there are five essential tasks that organisations need to perform, and explained how each task is affected by IoT.
- Invest in a security strategy and roadmap. “Each IoT implementation is unique, so it is necessary to study how the particular IoT infrastructure is set up and utilised, and to analyse potential areas of exposure. Given how complex this can be, the easiest way to do this is to engage an IoT security consultant with a proven track record and experience across multiple IoT protocols, domains and applications.”
- Boost your monitoring capabilities. “IoT systems cover three broad areas: applications, networks, and endpoints. To achieve effective monitoring, a company needs to adequately invest in people (with the skills to monitor and respond to alerts or incidents), processes (to ensure an appropriate response tailored for the type of attack) and technology (monitoring systems).”
- Tighten up authentication. “All IT systems – including the IoT infrastructure – will need to be accessed by employees at some point for administrative purposes. Multi-factor authentication should be used over simple username and password controls to ensure only authorised users or administrators can access and make changes to IoT systems and applications.”
- Face up to patch management. “Any IoT application based on commercial software should be added to the existing patch management lifecycle to ensure critical application vulnerabilities are eliminated promptly. IoT apps built in-house should be reviewed for application weaknesses and bugs, with intrusion prevention systems and/or next-generation firewalls added to enhance protection.”
- Take responsibility for cloud security. “In terms of IoT infrastructure, each of the various cloud services (Platform-as-a-Service, Infrastructure-as-a-Service, or Software-as-a-Service) demands a different approach to security. Again, an IoT security consultant will be able to assist.”
What lies ahead in 2017?
Liew sees Distributed Denial of Service (DDoS) attacks, credential exploits, application vulnerabilities, and phishing attacks as the primary methods of attack that will be perpetrated in the coming year.
He added that while data will be the primary target, IoT’s ability to control physical infrastructure will broaden the attack surface for enterprises.
“Data will continue to be highly sought after because of its fundamental value and strong demand from buyers,” he explained.
“However, we are seeing other motivations for attacks, including taking control of assets as a means to demand ransom, creating backdoors, and remotely controlling ‘zombie’ machines to launch DDoS attacks on other parties.”
Liew still sees employee cybersecurity education as an important task, even if IoT infrastructure requires less human intervention and involvement.
“While it is true that some attacks do not rely on user error, such as DDoS and application exploits, employee education still plays an essential role as part of a holistic approach to mitigate cyber risk,” he said.
“We continue to see high numbers of targeted attacks exploiting humans as the weakest link in the security chain through phishing emails and malware introduced to the network when people are enticed to visit malicious websites.”