Securing against the Internet of Things is not just the responsibility of manufacturer, Fortinet has said.
The Internet of Things is not just about smart fridges, home assistants, and gimmicky gadgets, Toan Trinh, consulting systems engineer at Fortinet, told the Gartner Security and Risk Management Summit in Sydney on Tuesday — it is also is about a whole new domain the enterprise is responsible for securing.
Rather than just being about protecting new devices from the outside world, Trinh said it is about connecting those new devices to older, existing devices that are most probably running old code, and protecting the entire network that such devices run on.
“One of the issues of IoT is that there’s a lot of legacy systems and devices out there that when people originally designed it, they never intended or never thought about the security aspect,” Trinh said, adding that looking 10 years into the future wasn’t always front of mind when designing these devices.
Trinh said that a lot of the businesses that manufactured or sold the devices to organisations a decade ago are no longer in operation, which results in the inability to patch or request support. He said the prevalence of legacy systems that the rest of the organisation depends on is quite heavy — something the recent WannaCry ransomware brought to the forefront.
Shadow IT — tech running on a network that wasn’t originally designed or approved by the business — is another avenue organisations need to explore when arming for the IoT, according to Trinh.
“Every one of us has the responsibility to protect it whether we use it at home or in the corporate environment,” he said.
Pointing to the Mirai botnet that turns networked devices running Linux into remotely controlled “bots” that can be used in large-scale network attacks, Trinh said it was good for the world, because it showed the potential impact IoT can have.
“Everyday IoT — especially consumer IoT — is really designed to be useful, fun, convenient, and cheap, but when you look at the manufacturing or thought process for IoT, they have to come out with a device very quickly, cheaply, and easily accessible. When things are made so cheap, they often don’t envisage the device sitting there for five or 10 years,” he explained.
“When they consider security or patching, that’s probably the least of their worries.”
Security always becomes an afterthought, Trinh added, which leads to a high percentage of potential damage when looking at the amount of devices expected to be in existence within three years — 8.4 billion by 2020, estimated by Gartner.
“They can be introduced into your corporate environment, so you have to consider them a threat, as well.”
According to Trinh, there are four key elements to look at from an enterprise point of view when thinking about the IoT: The device itself, the network it uses, the platform it connects to — such as the cloud — and the data that it transfers.
“All of these elements need to be secured in some fashion,” he said.
“A manufacturer of IoT, their goal is to make it fast and cheap; it’s not intended to make it last for long, so they don’t really care about security or making it patchable.”
As a result, he said the responsibility lies with the enterprise.
“[It’s about] providing the network with the smarts to protect yourself from these devices. When a device gets introduced, that opens up your attack surface. You have to build a security fabric that controls your access layer … because today’s network is borderless.
“Before jumping on the IoT bandwagon, think about your network and its current status … and determine how well you can handle these devices coming on.”
Article originally posted by ZDNet.