| Hidden Costs of IoT Vulnerabilities Cache Translate Page |
IoT devices have become part of our work and personal lives. Unfortunately, building security into these devices was largely an afterthought.
Another day, another hack. Whether it's a baby monitor used to spy on mother and child, or anFBI warning to reset home wireless routers due to Russian intrusion, the question continues to be: What's next?
Internet of Things (IoT) devices are part of both our work and personal lives. Unfortunately, building security into these devices was largely an afterthought ― the ramifications of which we are now seeing on a near-daily basis. However, let's look beyond the headlines at the hidden costs of IoT security vulnerabilities. These fall into five categories: device security, intellectual property (IP) protection, brand protection, operational cost containment, and user experience.
Device Security Once hacked, some devices can do a disproportionate amount of physical damage. It all depends on the degree of criticality to the nation-state, community, or individual.
The agriculture industry, for example, is as valuable to a country as any other strategic asset, such as utilities, finance, or communications. Many big farms today are automated via field sensors and autonomous vehicles. Let's imagine that someone hacks the sensors to erroneously indicate that the corn is ready to be cut, even though it's three months too early. Or that a hack signals an autonomous tractor to spread too much fertilizer, burning and causing the loss of an entire crop. This potentially catastrophic hack, as well as the corresponding financial losses or risk to the nation-state and its citizens, seem endless.
It is highly recommended that you closely examine the security of your IoT devices via the lens of worst-case scenarios. Ensuring the integrity of the data coming from your remote sensors is especially important because this data drives automated decisions with long-term implications.
IP Protection It's astounding how many organizations will spend millions of dollars on R&D and then put that valuable intellectual property on an insecure IoT device. In this case, a hack could mean the end of your business.
Now, let's presume that you are investing heavily in building sophisticated algorithms to enable machine learning, artificial intelligence, or facial recognition. As you look to deploy these proprietary algorithms for use in an IoT device, you are ultimately left with two choices: 1) Protect the algorithm in the cloud, forcing the IoT device to run back-and-forth to run the process and adversely affecting the customer experience, or 2) install the algorithm into the OS stack on the IoT device and risk a hack that steals your algorithm ― essentially making you toss your entire R&D investment into the wastebasket.
Brand Protection Apathy and inertia are creating a sense of "hack numbness," though the consequence of turning a blind eye depends on where you sit.
Let's say you make devices that help protect or enhance the life of children, with cameras or microphones that are always on and always watching. Consider a hack on these devices, and the misuse of the information they have access to, now being consumed by unsavory characters.
This is a brand killer. No matter how noble your IoT device and its application, if you cannot protect children, the market will make sure your future is cut short.
Consequently, security can't be ignored because you became numb to attacks. This is especially true if you're in a business that requires your IoT devices to gather sensitive information. Couple this with an emotionally invested customer base, such as users of child-monitoring devices, and a hack will mean the end of your business.
Operational Cost Containment Satellite time is expensive. Within the broadest construct of the many new IoT devices, some will have a component that relies on satellites for data communication. It does not need to be said (but I'll say it anyway) that satellite time is a very expensive path for data backhaul.
Imagine a hack where a botnet starts a distributed denial-of-service attack on a music-streaming server, which then causes the IoT device to start rapidly and overwhelmingly pinging the music streaming service. As the IoT device is battery powered and using satellite for its backhaul, every ping now statistically shorts the life of the IoT device.
This scenario serves as a double whammy of cost containment. If you're leveraging satellites in your IoT strategy, you must examine where potential vulnerabilities are because they could affect your overall costs of operation and maintenance.
User Experience As the saying goes, everyone has been hacked, but there are some who don't know it yet. While there may be no disruption of service at the time of a hack, what happens when there is some type of glitch?
Let's imagine that you get up one morning and ask Alexa to open the blinds, but they don't open. Now you have to check if there's Internet service into the house, and then confirm that the Wi-Fi network is broadcasting and that Alexa is enabled properly, and, finally, you have to ensure that the app for "my blinds" is connected and working. Considering how much time this could take, it would be quicker to get out of bed and just open the blinds manually.
Consequently, adding a path to ensure that the original code base is not corrupted through attestation, we can minimize the impact on the user with a highly secure device update, but the hidden cost is the impact on their time.
Conclusion The world is catching on to the idea that IoT device security is of paramount importance. Frankly, if end users were affected in a meaningful way (say, something involving their TVs) through one significant hack, the demand for security would become "top of mind." The question is how many of these hidden costs will affect organizations while we work toward a more secure ecosystem.
In my opinion, embedding security in the IoT ecosystem can't come soon enough.
7 Serious IoT Vulnerabilities
IoT Bot Landscape Expands, Attacks Vary by Country
New Report: IoT Now Top Internet Attack Target
A Cybersecurity Weak Link: linux and IoT
Black Hat Europe returns to London Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.
Carl Nerup's experience is a powerful mix of proven marketing and sales leadership an
| Security Practitioners! 5 Ways to Make your Boss Hear your Needs Cache Translate Page |
Having trouble getting senior management to buy-in to your security recommendations? Try these essential tips.
One of the most oft-heard complaints among IT and network admins concerns how to convince senior management of the importance of a robust and comprehensive security solution. From SMEs who think they are not a target and can’t afford “the expense” of security, to corporate managers more worried about compliance than compromise, applying the principles of cybersecurity wisdom can be a challenging and frustrating task if management aren’t on board.
Some managers are more interested in ticking boxes for Quality Assurance than the impact of a malicious breach. After all, if all the boss’s boxes are ticked, responsibility for any problems will fall elsewhere, and probably on you! But if ticking your boxes requires getting senior stakeholders to recognize the reality of today’s threatscape, what can you do? Here’s our top 5 tips for making your boss hear your needs.
1. Speak a Language They Understand
When bosses naively ask “Are we safe?”, don’t say “Security isn’t a binary question!” Do say “It isn’t a simple Yes/No question.” You know security is a company-wide practice and a mindset, but your boss may think it’s just another task that you should have completed already! That means, like it or not, you’re in the business of education. And the first step along that long road is for you to learn their language. Don’t expect your boss to understand yours!
So, be light on the jargon and technical specifics when discussing your needs, and be heavy on the effects on productivity, efficiency, staff morale and other quantifiers bosses understand. They don’t necessarily need to know all the details of how your domain came under a DDOS botnet attack for the last 24 hours. They do need to know that there’s a security situation which requires either some specific amount of time or budget (or both) to deal with. Point out the cost to the company of not putting into effect your recommended solution.
2. Share Ownership
Bosses typically don’t want to know about the reality of security because as far as they see it that’s your job, not theirs. “Don’t talk to me about cyber! Dealing with this is what I hired you for!” But the boss is just a specific example of a more general problem. When it comes to security, managers are just one of your many users, and promoting security awareness among all your users should be one of your key priorities.
The important thing here is to get staff (including bosses!) to buy-in to the idea that security is a company-wide responsibility. Ask permission for and implement staff awareness programs. Do people know how easy it is to phish passwords? Engage them with social media like this
Who says hacking is difficult!
So, what’s your password? #Cybersecurity #cyber #hack #hacking #Hacked #hacker #informationsecurity #infosec #informationtechnology #infowars #socialengineering #cybersecurityawareness #cyberawareness #digitalsecurity #password pic.twitter.com/zxKpTz6q9d
― Mohit Kumar (@unix_root) October 29, 2018
or seek permission from HR to conduct a simulated spear-phishing test like this .
How willing are your staff to plug in unknown USB devices that could be malicious? Do they know how easy it is for hackers to turn a regular USB device into a malicious weapon? Run campaigns. Don’t ask for funding, just permission where necessary.
3. Be a Solution Provider, Not a Problem Bringer
Informing management of problems may get you labeled as a complainer and your ideas nothing more than an eye-roll. Raise security issues in the context of how they affect others rather than yourself, and then spend time discussing solutions. Similarly, if like the proverbial messenger, you don’t want to get “shot” for being the bearer of bad news, learn to deliver your problems with a heavy dose of answers. Ideally, present a range of solutions for consideration, but angle the pros and cons to favour what you know is for the best.
Your task here is to lead your managers to the right security solution because it’s a benefit to the company as a whole.
4. Present Proposals, Not Demands
You have some obsolete hardware and infrastructure that one department desperately wants to keep. Maintaining it is a security issue for you, but bosses are more swayed by the department’s argument that “it’s necessary for their work”. Often-times, staff are invested in ways of doing things and no one likes change. Spend time looking at solutions that would improve not just your security concerns but also their productivity. For example, try asking them what equipment they would buy if they were setting up their department anew. Wave away “oh, but we’d never get budget for that here” protests. Find out what they need, and then promote it or something close to it to senior management as a solution not just to their problems, but yours too.
Aligning security with a costed business case for other improvements makes for a more compelling argument than going it alone. Write a clear, costed proposal that not only provides a budget but also estimates, in quantitative terms, the projected benefit to the company. Ideally, you want a package that the boss can sign-off on and justify in terms managers understand: cost-benefit analysis.
5. Don’t “Hide in the Basement”
If senior managers aren’t aware of how security issue