Cybersecurity Expert and CIO: Internet of Things is 'Scary as Hell'
- 25 March, 2014 21:36
Jerry Irvine, CIO, Prescient Solutions
The terms "Internet of Things" (IoT) and "connected home" are two of the trendiest buzzwords in the technology world today. And while both clearly offer very real potential, they also introduce their own share of risk, particularly if they're not approached with caution, according to Jerry Irvine, an owner and CIO of IT outsourcing services firm, Prescient Solutions.
Irvine, who is a member of the National Cybersecurity Partnership (NCSP), a "public-private partnership...established to develop shared strategies and programs to better secure and enhance America's critical information infrastructure," says his expertise is general cybersecurity and system communications. And he has the certifications to prove it. The Prescient CIO's resume includes CISM, CISA, CISSP, MCSE, CCNA, CCNP, CCDA, CCDP, CNE, CBCP, CASP, CIPP/IT, IAPP/IT, ITIL, CGEIT, and Cisco Wireless Professional certifications.
"Any security cert that's out there, if I don't have it, if you find one, you let me know, and I'll go get it," Irvine told CIO.com Senior Editor Al Sacco.
Irvine spoke with Sacco about IoT and connected-home security, as well as how both consumers and enterprises can prepare for the flood of coming device -- and protect themselves from hackers looking to leverage the IoT to steal sensitive personal or corporate data.
Al Sacco: What exactly does the term "Internet of Things" mean to you?
Jerry Irvine: It means the interconnectivity of things. It's not just the Internet in general, but the ability for devices, all types of devices, to communicate. They communicate across a publicly-accessible, unsecure Internet. Basically everything we have today is being configured for us to remotely control and manage it. And the infrastructure is the Internet.
What do you think of first when you consider IoT?
Truthfully, it's scary as hell. The Internet in and of itself is an insecure and highly-risky environment. It's like walking down an alley at night without the appropriate security measures.
The first remotely-controlled devices were manufacturing devices, heating and air conditioning, things of that nature. They were not very intelligent. They were simply a means to gather information and provide remote connectivity of manufacturing equipment so that technicians could manage more devices and get alerts when something was going wrong.
No security measures were ever put in place. The manufacturers of these "Internetable" home devices are doing the same thing that the manufacturing companies did years ago, and they're making these unintelligent, insecure pieces of equipment that are designed to do one or two things with very little security measures put in place. They may have an individual user ID and password, but there's very little else they do for security. So when you start "Internetting" all of this equipment, you're really leaving yourself susceptible to it.
When many consumers think of the IoT, they think of the connected home, connected appliances. Have you heard of any specific threats targeting consumers via these kinds of devices?
I have not heard of a specific example where it has happened. [As a hacker], I may not actually use your alarm system or your heating, your AC that I can see sitting on your Wi-Fi network, while I'm sitting out in the front yard, to affect those systems. I may implement a virus that gets on your network and now it affects your network, and I'm able to grab your user IDs and passwords and get your financial information moving forward.
It's just the fact that all of these things are on the Internet and unsecured. They have no antivirus available for them. They have no other means of securing them. They are the weakest link in your network. Hackers can get into them, they can target them with malicious applications to infect your PCs, and now get your financial information and your identity.
People are excited about the IoT, and there's clearly a lot of promise and potential there. Security concerns aside, what excites you most about IoT?
I do really appreciate the idea of having an alarm system that will remotely allow me to check my environments. You hear about people on vacation, they get an alert, they see somebody robbing their house, and they're able to call the police.
That's exciting. That's a real opportunity for individuals to protect themselves. The problem is doing it in an insecure manner.
How would a hacker gain access to consumer IoT devices? Is the commonly used Wi-Fi security, WPS or WPA, good enough to protect the average user's home wireless network?
Most likely [hackers] are going to steal your information the same way they're stealing everything else, with a virus or malicious application that you download from the Internet. Your PC is going to be breached, it's going to gather all your information, send it out in a script to somebody, and now they're going to have all your information. Antivirus solutions only protect you against 30 percent of known viruses and malware.
There's the potential of people sitting outside in the front yard, seeing all of your devices and going from there. WEP is a very insecure wireless security protocol which is still in use. WPA is more secure, but most individuals still leave their wireless network to broadcast, so I can see all the traffic going across it, I know there's a network there, I know the SSID.
Are there specific types of IoT devices that are more risky than others? Should consumers be more wary of one connected-home gadget than another?
They're pretty much all of the same risk type. There are a couple companies out there that are doing connected smoke alarms and thermostats and the alerting-type systems, which are fairly unique in that they will ride on your existing Wi-Fi network; however, if you don't have a Wi-Fi network, or if you choose not to use it, they will create their own Wi-Fi segment [using Wi-Fi Direct] so they can communicate with each other and provide access through a single keypad. Those are really nice because they mitigate risk by segmenting them from your Wi-Fi network.
Do you personally use any of these gadgets and services we discussed?
I do not personally use them, because I don't trust them.
What's the most important advice you can give consumers who are diving into the IoT?
There'd be two things: Put [the IoT devices] on a separate network, on a VLAN; and only communicate to them with a VPN. Don't allow any non-encrypted traffic to communicate with them. So segment them and communicate them with a VPN. Use different user IDs and passwords. And use complex passwords. Alphanumeric, upper case, lower case, special characters. Not just "12345" for a password. Complex passwords.
Secure your environment. And don't have your alarm system, your heating and air conditioning system, on the same internal network as your PCs. If they are easily hacked -- and they are -- and attacked, you don't want them to be on the exact same network.
You can put them on a virtual network using all of the consumer-based switches and systems that are readily available out in retail stores. Configure a virtual local area network (VLAN) to secure your environment.
The average consumer is not particularly security-savvy. They're probably not going to use a VPN or a VLAN, or turn off the broadcast function on their Wi-Fi router. With that in mind, do you suggest that consumers avoid IoT devices, or connected home devices, altogether at this point? Is the risk too high to justify the potential gains?
That or engage a professional to install security measures for you. Let's say you do that. I have my home security system, I've tightened down my Wi-Fi and everything. Like you said, the average consumer is not security conscious. They pay somebody else to do that for them.
Then they drop their phone somewhere and it doesn't have a PIN on it. They have applications on their phone that allow them to control all of their IoT devices. We have to start securing our mobile devices even more critically because all of the applications are there to control our entire lives. And yet, statistics show that more than 80 percent of people don't even put a PIN on their phone. I was in a meeting of about 25 CFOs of multi-million-dollar accounts, just this week. I asked how many of them had PINs on their phones, and less than half a dozen had PINs.
Your advice isn't too different than what cybersecurity experts have been saying for years.
That's true. It's just the risk is even greater. Now [hackers] aren't just looking at your individual PC, they're looking at all of your personal property.
It's not necessarily about taking control of your IoT devices, your home heating system, your alarm system?
No. That's been the real mindset change in cybersecurity in the last three to four years. It's no longer about inconvenience. It's no longer DoS attacks that are occurring. It's 100 percent based on financial gain. Everything now is to get your identity, to get financial information, and to steal your identity to get more money. It's a multi-trillion dollar industry today.
What does the IoT mean for corporations, for CIOs and other enterprise security personnel? Do they need to think about how IoT affects their organizations?
It's definitely an enterprise issue, just the same way as BYOD is an enterprise issue. Everybody now is accessing their corporate environment through their consumer systems. I'm going to have my mobile device, my phone, my tablet, my laptop, at my home on my network that can be easily breached. Just like Target was hacked through its HVAC company, somebody else can get into a user's environment and get into corporate data. So absolutely, CIOs need to always look at the weakest link.
What can CIOs do to protect themselves and their organizations?
Proactive segmentation of consumer-based devices from the enterprise network is the primary means. You do that through the implementation of MDM solutions, or MAM, mobile application management, solutions that allow you to create individual partitions on the user's device so that you can segment your applications and data and network access, to allow only authorized segments of the consumer mobile solution. Development of VPN configurations, tightening down, and rather than concentrating on perimeter security, concentrate on application security. A more application-centric approach, application firewalls, application scanning.
Does it fall on CIOs and IT to educate users about the risk of these new IoT and connected home devices?
Yes. The number one proactive means of securing any type of environment is through user training and education. Not only what to what to do, but why to do it, so they understand the risk.
A lot of these things, again, really apply to mobile device security in general. They're not necessarily specific to IoT. It doesn't sound like a company that is already security conscious really needs to do anything different to address IoT.
That's correct. The problem is the threat footprint just continues to grow. I can no longer concentration on the users' individual cell phones. I have to concentrate on phones, tablets, PCs, their Wi-Fi network at home, their firewall at home, on their consumer-grade controllers, these "Internetable" devices.
In truth, what we should be doing implementing the least privilege type of security, where nobody has any rights unless I specifically give it to them. In today's new BYOD environment, it's really set up so that everybody has all rights until I say no. We have to get to the limitation of the only people who have access are the people I give it to. A concentration on the least amount of privileges.
It used to be more like that, before smartphones really hit the enterprise, before BYOD. Do you think the current trend will reverse itself?
JI: I absolutely think it will.