Look beyond testing and compliance
As the IoT and thousands of new IP devices grows exponentially, so do the security risks in variety of critical areas including physical security controls. An article in FCW recently outlined increasing risks posed by doors, locks, cameras, and sensors – nearly all of these commonplace physical security controls that are now networked in some way, which introduces additional complexity and risk.
Compounding this is how the integration of new devices with aging physical security infrastructures poses additional risks for interconnected failures across networks, sytems and applications.
As a result, security controls are struggling to keep up with the ever-changing requirements of this new realm of connected IP devices that are starting to play a big role in the management of physical security environments.
The article goes on to advocate the need for “testing” and rightly emphasizes that “compliance” is a minimum requirement that should serve only as a starting point. But it neglects to go further and address the increasing need for us all to rethink how we secure IP-based services, applications and infrastructure.
What it did not address is the fundamental problem that exists in the relationship between IoT devices and a flawed DNS system that enables these devices to essentially be hijacked and initiate disruptive Distributed Denial of Service attacks. DDoS was already one of the most popular attacks for hackers and the IoT is becoming the ultimate delivery vehicle for it.
And while some critics point to the need to address the inherent security vulnerabilities of IoT devices and others are advocating the need to improve a flawed DNS system, the reality is that, in the short term, we need to do both. We need to quickly agree on standards for configuration of IoT devices to be more secure and we need to advocate (mandate) use of the more modern DNS Sec to authenticate connection to DNS servers making them more secure.
Ultimately, the way we approach IT security today is the fundamental problem. Without getting too technical, within our current IP-based, DNS-centric framework, we operate in an environment where every device is given access to a service before it is required to authenticate.
The reality is we need to start by changing the paradigm to develop solutions that authenticate first before being given access to the service. This will allow us to completely remove the footprint of IoT devices even when they are using public infrastructure for communications making it virtually impossible for hackers to exploit vulnerabilities.
So while we all agree that IT security is broken, and there is a groundswell of support for digital risk management, there already exists a proven solution for protecting IP-based services and is in use today by companies such as Coca Cola and Google, large government agencies such as the DHS, and others.
Software Defined Perimeters (SDPs) employ an authenticate-first approach by securing every connection to a service, application or critical infrastructure. It is relatively simple with each solution engineered specifically to protect a predefined service, application and/or IT environment, and has been proven as 100% effective.
Another example is Building Intelligence which specializes in cloud-based solutions for security practicioners and building owners to manage visitors, vehicles and vendors. Check out what they are doing with SDPs for their customers.
For more information on SDPs, check out this white paper.
To learn more about IoT threats and vulnerabilities, check out this Webinar I participated on. It examines:
- What IoT devices are internal to my company?
- Do I know what IoT devices are externally entering my company via my employees, contractors and vendors?
- Do I know what threats and vulnerabilities these IoT devices represent to my company?