A Q&A with Larry Pesce of InGuardians
While the Internet of Things is making life more convenient, it’s also posing numerous security risks for both individuals and organizations. To find out more about why companies should keep an eye on these devices and how they can better mitigate risk, I spoke with Larry Pesce of InGuardians.
What is the Internet of Things (IoT) and what makes it risky from a cyber security perspective?
The IoT is really what we used to call embedded devices—basically any type of device that communicates over the internet. We used to see these devices primarily in the workplace for improving job productivity—a printer connected to a network that allowed you to print wirelessly, for instance—but now it’s spilled over into our homes with refrigerators that allow you to check their temperature from a distance and so forth. You can now open a garage door from halfway across the planet. The problem is that these devices are relatively inexpensive to create and they’re meant to be used by a broad audience and as a result, general computing security features are often sacrificed during the manufacturing process.
The problem is that these devices are relatively inexpensive to create….general computing security features are often sacrificed during the manufacturing process.
What kinds of security scenarios might impact an enterprise level business?
Imagine that smart refrigerator ending up in the break room at work. Now it’s communicating on the same network that houses important data. Or it could even be a scenario where an executive brings their laptop home, which is now on the same network as the smart devices in their house. Either way, a malicious actor can use the vulnerabilities in these devices to infiltrate the network and gain access to sensitive information. In terms of the work environment, it may not even be obvious that these sorts of devices are around and on the network. A colleague was recently at an enterprise site on a completely unrelated project and he fired up his wireless discovery tool and found devices on the network that were associated with IoT—devices the employees weren’t even aware of.
From a technical perspective, what makes these devices insecure?
Let’s go back to that fridge. If there’s an issue identified with the product the manufacturer will likely send notice to customers but the notice may not illustrate the actual risk well. The customer will have to go online and download the update. When was the last time you patched a fridge? When was the last time you updated your computer software? There’s always the perception that if it’s not broken, don’t fix it and if it’s cooling fine, there won’t be a sense of concern about the so-called bug.
Are there any real life cases of data breaches arising from the IoT?
There are not many that have been publicized but even if you look at the Target breach, the problem originated from the HVAC and refrigeration systems that vendors were using, engaging with third parties to monitor these IoT devices. If these systems were manual they wouldn’t have been able to be compromised—it’s as simple as that.
How can organizations mitigate the risk around IoT devices?
My best advice is not to use them in the work environment. But we know that security can’t always be the deciding factor so if people are going to integrate these devices they need to make sure they are on restricted areas of the network and that they don’t have access to internal corporate resources. You follow the principle of the least privilege, giving the least amount of access to the devices. And this one sounds obvious but it happens way too much: Change your default passwords. Again and again during our penetration testing we see defaults and almost always in embedded and IoT devices. Finally, have someone conduct testing to make sure there are no vulnerabilities.
What do you see as the future for IoT?
Right now, it’s more focused on consumer devices but I expect we will see more on the enterprise side eventually. Ultimately the biggest risk is going to be your users and how they interact with their own IoT devices as well as the enterprise environment.
This is an interesting issue that has the potential for creating systemic risk for both companies and their cyber liability insurers. Granted, the risk is more theoretical right now but everyone agrees that real life cases are just around the corner. Take, for example, the recent report from American Military University that “…more than 69,000 medical devices were reported wirelessly hacked. These devices include patient monitors, infusion pumps, ventilators, pacemakers, MRIs, and several medical device software apps ranging from automated diagnosis of disease to medical billing.” We’re seeing some of the same concerns about the automotive industry with cars connected to the internet for functional purposes (self-driving, etc.). It was reported that researchers were able to exploit this new technology and manipulate the speedometer to display a speed of 140 MPH when the car was still in park; disable the brakes; install malware that would only trigger if the car went over 20 MPH; and more. The risks will only continue to grow and we should all be aware of them.
NetDiligence® is a cyber risk assessment and data breach services company. Since 2001, NetDiligence has conducted thousands of enterprise-level cyber risk assessments for organizations. NetDiligence services are used by leading cyber liability insurers in the U.S. and U.K. to support loss-control and education objectives. NetDiligence hosts a semiannual Cyber Liability Conference attended by risk managers, privacy attorneys and cyber liability insurance leaders from around the world. NetDiligence is also an acknowledged leader in data and privacy breach prevention and recovery. Its eRiskHub® portal (www.eriskhub.com) is licensed by cyber liability insurers to provide education and breach recovery services to their policyholders.