Merritt Maxim and I just published our research on the IoT Attack Surface. This report gives a realistic, but not sensationalized, view of how enterprises need to think about IoT. Three factors motivated our research for this topic - attacks on IoT will transcend the digital-physical divide, the sheer scale of IoT will challenge security teams, and IoT devices collect massive amounts of data.
The following methodology allowed us to hone in on concrete enterprise scenarios:
We went for offense first. We started by interviewing prominent security researchers that spend their days thinking about how to attack IoT devices and systems. Our outside in approach allowed us to develop a threat model for intrusions, as well as identify weak points in the defenses of IoT makers, users, and operators.
We explored the ramifications of an attack. We wanted to understand what an attacker would - or could - do when successful. We also wanted to understand the amount of friction that existed for whatever came next - credential harvesting, persistence, or disrupting operations.
We examined existing security practices to understand what works, and what doesn't when defending IoT devices. This step highlighted that while IoT is different, defending IoT looks similar to other security problems S&R pros have dealt with. You can bring security lessons forward and apply them to IoT without having to learn them all over again.
Connected medical devices are transforming healthcare. Unfortunately, security is too often an afterthought for the clinical engineering and business technology (BT) management teams implementing these revolutionary new technologies. In a recent report, Forrester predicted that 2016 will be the year we see ransomware for a medical device or wearable. This is a delicate thought, considering: 1) the Healthcare Industry is actually behind on data security compared to other industries and 2) the FBI highlighted the risk posed to medical devices in their recent public service announcement: Internet Of Things Poses Opportunities For Cyber Crime.
This research initiative seeks to answer the following: Are there real threats posed by the emergence of connected medical devices? What can you do to protect your patients and employees from life threatening breaches? Is there an underground market for medical device exploits? This research will publish in early 2016 and will be featured in my talk at the RSA Conference this March.
We are looking for research interview candidates to support this initiative, specifically security professionals working in a healthcare setting or medical device security vendors with current solutions on the market. In exchange for your time, we will provide you with a complimentary copy of the final research. While anyone who participates will have the opportunity to be listed as an interviewee in the final report, all interviews will be treated as confidential unless expressly instructed otherwise.
Internet of Things (IoT) security is a hot topic among security and risk professionals. It seems as if every "thing" on the market is becoming smarter and more interactive. As the level of IoT device maturity increases so does the level of risk of data and device compromise. The scary thing is that we really have no idea what IoT devices are in our environment let alone the correct way to secure them.
Both IoT product makers and IoT product operators need to understand the security implications of IoT devices. Security in IoT involves product makers rethinking how they create technologies, secure code and hardware, develop new offerings, and ensure the privacy of the data they collect. These areas of security are not typically areas that automobile, manufacturing, and retail technology makers have had to consider in the past. The scale of IoT devices in each vertical is enough to employ a small army of developers who are yet not up to speed on the latest secure code and hardware concepts.
On the other side of the coin, enterprises have the unenviable position of implementing these poorly coded and built technologies. Overwhelming pressure will come from competing enterprises causing an increase in IoT adoption to improve business efficiencies. IoT will become pervasive, and mandatory, throughout every vertical from gas and electric to automotive. The threat landscape in these areas will be immense.
Once a month I use my blog to highlight some of S&R’s most recent and trending research. This month I’m focusing on application security and asking for your help with some of our upcoming research into the security and privacy risks associated with Internet of Things (IoT). IoT is any technology that enables devices, objects, and infrastructure to interact with monitoring, analytics, and control systems over the Internet. The illustrious and debonair, Tyler Shields (@txs), will lead our research into IoT security, but as the risks become more and more concrete for various verticals, you can expect the entire team to engage in this research.
Take our IoT security survey and talk with our analysts! If you contribute to the emerging IoT market, please fill out this brief survey (http://forr.com/2015-IoT-Security-Survey). Participants will receive a complimentary copy of the completed research report and we'd be happy to interview anyone who would like to discuss IoT and security in detail. Be sure to reach out to Tyler (firstname.lastname@example.org) or Jennie Duong (email@example.com) if you’re interested.