PE Reports says 70 % of IoT devices are vulnerable to security risks, with an average of 25 vulnerabilities per IoT product analyzed
The Internet of Things (IoT) and its dependence on the cloud as part of the connectivity and services, has created new, critical new security risks.
Two big issues:
- Securing data from theft as it is generated, collected and analyzed
- Protecting IoT devices from potential use for physical attack
The ecosystem has expanded security risks
As most big data projects include real-time analytics for operational insights, and centralized data acquisition or staging for other systems, these projects can include massive quantities of sensitive payment card, personally identifiable and protected health information (PCI, PII and PHI). These projects alone hold major risk and now, with the advent of IoT, sensor data from devices adds to the sensitivity, risk factors and urgency.
The risk of data breach is high, with HP Enterprise Security research indicates that 70% of IoT devices are vulnerable to attack, with an average of 25 vulnerabilities per IoT product analyzed. The research covered a range of popular IoT devices from manufacturers including of televisions, webcams, remote power outlets, hubs for controlling multiple devices, door locks and alarms. All devices analyzed had mobile applications which could be used to access or control the devices remotely, and a majority of devices included some form of cloud service.
The first step attackers take is to build a map laying out the network of the target location to identify which systems are located where. Their goal is to set up mechanisms to acquire data over as long a run as possible and monetize it.
While perimeter security is important, it is also increasingly insufficient. It takes, on average, over 200 days before a data breach is detected and fixed, leaving the most sensitive data assets exposed while attackers funnel data out of their target, with the scale of the breach growing every day.
With IoT connected devices, physical risk is added to the data breach risk. For example, there are Internet-connected devices that allow consumers to open and close the door to their homes from their cell phones. What prevents the attacker from doing the same thing to a business? Imagine an HVAC system, gas appliance or medical device. If an attacker can control these systems, it becomes an attack on the individual, where the attacker can sit anywhere in the world. This is why everyone needs to be concerned about security in the IoT age.
With IoT devices there are multiple attack vectors such as impersonation of the device user, or of the service provider. These vectors can be protected against through the use of SSL technology, 2-factor authentication, and certificate pinning, so that SSL certificates only enable the device to connect to a server when the certificate matches certain criteria and can be trusted. IoT devices can be designed not to accept inbound connections directly, but rather to accept a request to “call me now” for connection to the genuine service provider. Device software security can be enabled through best practices in the application development process.
Data-centric protection from the device to the big data platform
To protect sensitive data assets against security risks, whether in a business or at home, a new approach is needed—one that actually protects the data itself. A similar approach is needed in IoT. Since each device is different in terms of the data it collects and sends to the backend server, it is important to understand what data is sensitive. With that understanding, it is a best practice to use data-centric, field-level encryption to protect individual data fields. This should be done through a special form of encryption referred to as Format-Preserving Encryption (FPE), implemented throughout the ecosystem— in the devices, the communications channels and the Big Data platform. Sub-fields can be preserved so that the inherent value of this information can be maintained for analytical purposes. Analytics can almost always be done with the protected data, securing sensitive data from both insider risk and external attack.
Encrypting the Internet of Things
Traditional measures alone are not enoughto protect against the expanding security risks. Enterprises implementing IoT strategies need to apply a data-centric security solution end-to-end from the big data platform to the IoT infrastructure. Using FPE to encrypt data values on a field level, from the device to the infrastructure and remote control element, removes risk and enables protection against remote takeover of an IoT device— the biggest threat to IoT security.
More Here [cxotoday]