In-brief: Marc Blackmer of Cisco says that, with so much promise, it can be hard to anticipate how individual or company-wide decisions to embrace the IoT might bear on cyber risk.
Full data encryption on my mobile devices? Check.
Always-on VPN on my mobile devices? Check.
Camera covers and cut off headphone plugs to thwart eavesdropping? Check. Tor? Check.
Two-factor authentication? Check.
Bluetooth connectivity? Never…well, except in the car, of course. Safety first, after all. And there is that new Bluetooth speaker system we have, but that’s just at home. Oh, and I did just get a new road bike that will send speed and cadence data to the app on my phone. What’s really cool about that is I can track stats for each ride – distance, speed, personal records, calories burned, and more. Considering I need to drop some weight and bring down my blood pressure, it’s a great way to stay motivated. What’s really cool is this WiFi-enabled scale I saw online that I can use in conjunction with a wearable monitor, and both will feed all of my personal health data to the CLOUD! I can even compare stats with my friends!
You see where this is going, right? The thing is, I’m not making this up. Everything I wrote above is true. So how is it that someone like me, a cybersecurity professional and self-described “rational paranoid” gets blindly excited about technologies that I know make me vulnerable?
There is the cool factor, of course. New gadgets fire up my inner propeller by promising efficiencies that I think are personally beneficial.Tracking my progress provides motivation to keep going (at least in theory) and allow for corrections when I get off course.
And I’m competitive. Sharing my rides with like-minded folks is a friendly way to compete for bragging rights when we can’t ride together. And it’s a great way to get my doctor off my back.
But do the privacy risks of, say, fitness trackers, outweigh their benefits? Many in the information security community would say “yes.” Others dismiss the risks posed by wearables as FUD (fear uncertainty and doubt) and a low-level concern in the grand scheme of things. My opinion is that both arguments are wrong. Rather than looking at the class of device (“wearable”), we should consider the value of the target wearing the device.
[Read more of Marc’s thought leadership here.]
Imagine, for example, that the CFO of your company installs a vulnerable health app on her smartphone that receives Bluetooth feeds from a sensor attached to her bike. Like many of us, she forgets to disable Bluetooth after her workout and pops into a cafe for her daily coffee. At the coffee shop, that Bluetooth connection to the application is used by an “advanced persistent” attacker familiar with her routine to compromise her phone.
That same phone has a VPN client to connect to your corporate network. And the CFO- being the CFO- has access to the company’s financial data. Once the phone is compromised and a connection is made, is it so hard to image the malware spreading to your network? Or maybe the malware just stays resident on the CFO’s phone, monitoring her inbox and grabbing PDFs or spreadsheets that get sent to her. That kind of compromise would be much harder to spot, but damaging to your firm, all the same. How hard would it be to detect that malware transmitting stolen data to a drop site or communicating with command and control servers? Sure, the CFO could notice changes in her data use, but in an age of multi-gigabyte per month streaming plans and streaming to mobile devices from NetFlix and Amazon, would a few stolen files here and there even show up? Almost certainly not.
What is my point? For one: the promise of the Internet of Things (IoT) is manifold. And with so much promise it can be hard to anticipate how individual or company-wide decisions to embrace the IoT might bear on your company’s cyber risk. After all, if a seasoned cybersecurity professional who knows the risks (me) can be seduced by the promises of convenience, efficiency and social status via the IoT, what chance do laymen and women have?
We can’t put the genie back in the bottle. The IoT is here now. If we are going to secure it, we can’t ignore the irrational draw of “cool.” Nor can we ignore the commingling of apps and data that the IoT makes unavoidable.
Techniques and technologies such as device profiling, network access policies and policy enforcement are key to managing IoT risk. But we need to start with the understanding that many people (even those of us who should know better) and organizations will make irrational choices. Once we understand IoT cybersecurity is not primarily about technology, but about people, we can then craft more effective defenses.
My scale arrives Thursday, by the way. I’m pumped!