- Screen Shot 2018 05 17 at 3 - IoT security is too hard, so we’re giving up – Stacey on IoT
A lot of consumer products and devices employees bring into work are flying under the radar at enterprises, according to the Pwnie Express report.

We’re putting a lot of technology in a lot more places these days, and we’re connecting it to the internet in the hopes of being able to see new patterns so we can change our lifestyles and businesses. This has opened up a huge attack surface. In the last two years, not only have a range of new threats come to light, but old threats have become more powerful, all of which has led experts to believe that the next big cyberattack could take down critical infrastructure — and it’s only a matter of before it happens.

We’ve covered how an exploit of a piece of Schneider Electric industrial process equipment took an oil refinery offline. Most people are also aware that last year, a malware variant called NotPetya took hospitals in the UK offline because of computer issues and because equipment such as MRI machines were affected. For most professionals, those attacks are just the beginning.

A new report out from security group Pwnie Express claims that 85 percent of the 500+ security professionals it surveyed believe that their country will suffer a major cyberattack on its critical infrastructure in the next five years. What’s even worse is that most of these respondents believe that the least prepared industries are those with the biggest ramifications for health and safety — public health, water and wastewater, and the energy sector. In many cases it’s not that these organizations are doing nothing, it’s that the threat is so large and new they don’t know where to begin.

Back in 2015, I was talking to the CEO of American Electric Power at a Fortune event, and he told me that the company had an entire floor of employees focused on vs. just a handful of employees a few years earlier. And those employees were constantly fending off attacks. But his focus at the time was centered more around protecting the organization’s computer . Now threats come over networked cameras or through hackers attaching a rogue thermostat to a network.

And as to the facilities that are getting , their IT operations staff are busy doing other things. The security folks Pwnie Express surveyed said their employers were more than twice as likely to have a security policy in place for IT devices than for IoT. If those companies do have a security policy, only a little more than one-third of their security pros said that they themselves are involved in checking that the devices are compliant, and two out of five said they either didn’t ensure devices were compliant or they weren’t sure if anyone in their organization checks if they are or not.

So basically when it comes to things that aren’t computers, most of those tasked with IT security are running blind. To solve this, I’ve proposed thinking about IT security more like the facilities guys view operations security. Todd DeSisto, CEO of Pwnie Express, adds that when companies buy connected products, someone from the security team should be involved in the purchasing decision. A doctor excited about a connected MRI might not think about the patching and support contract associated with the machine, but keeping it free of vulnerabilities will be at the top of the CISO’s mind.

DeSisto also says the survey results that surprised him the most were that professionals were abundantly aware of increased risks, but their companies had done little to try to address clear problems, such as not knowing what was on a network. “The complexity makes it hard for people to solve,” DeSisto says. “There are a lot of stakeholders, no standards, long life cycles, and any number of things in the wild, running in non-traditional environments.” So they give up.

Unfortunately, many of the concerns about security vulnerabilities are going to get worse before they get better. Almost a third (64 percent) of survey respondents said they are more worried about device threats than they were at the same time last year. The reigning solution so far seems to be some type of network monitoring function that can help security professionals. And it would be beneficial for companies to at least know what’s on their network, especially when 51 percent are concerned with purpose-built rogue devices yet only 24 percent can monitor for them in real time.

The solutions, however, are difficult to implement, require skilled people, and can be costly. That’s the opportunity Pwnie Express is banking on, but it’s also leading to a bunch of security checklist offerings such as this one issued recently by AIG. The checklist aims to be a “set of actions for cyber defense that provide specific and actionable ways to stop today’s most pervasive and dangerous attacks” and “is intended to help strengthen, prioritize, and focus on a smaller number of actions with high pay-off results.”

But if you download the document looking for the easy way out, I’m sorry to say that the checklist contains 46 items that range in complexity from “Eliminate unnecessary services and unused ports” to “Conduct security testing on third-party devices and utilized in your business and products.” The problem with putting connectivity in everything is that criminals can take advantage of just about anything. No wonder security professionals are ready to give up.

Source link


Please enter your comment!
Please enter your name here