Protecting critical internet infrastructure from IoT device risks
- By Pete Burke
- Dec 10, 2018
As the infiltration of internet-connected devices into nearly every aspect of daily life continues to expand, so do the vulnerabilities and security risks they create for their operational networks. That includes the devices and networks used by federal agencies that ensure the security of the government’s critical infrastructure.
The internet of things is at once an immensely useful innovation and a significant security threat. With the sheer number of devices connected to networks -- which is growing by the day -- there are many possible entry points for potential hazards. One weakness in the security chain could pose a vulnerability to the entire system and open an opportunity for exploitation.
We must better protect our nation’s critical infrastructure and shield our agencies -- and the public -- from these immense risks.
Managing it from the starting point
In the past, hackers typically would have to target a vulnerability to infiltrate individual laptops and servers. Today, hackers have a much larger attack surface comprised of easy targets created by the many vulnerabilities commonly found in IoT devices.
Smart televisions, routers, smartphones -- even smart refrigerators and thermostats -- could all potentially contain software vulnerabilities. Relying on the vendors who build these devices to implement and maintain robust security and vulnerability checks, both during the development and after the release of their product, is a fool’s errand. These types of security maintenance programs are usually only found at larger manufacturers and overlooked by most companies since they are costly and can slow down production. Agencies must be proactive and have measures in place to protect against the potentially vulnerable devices introduced into their networks. They must be ready to identify any weaknesses and be prepared for how they’ll affect their network once they are connected.
IT managers must first assess their networks and understand where deficiencies reside. After that, a full-scale automation of network asset onboarding should take place, which includes putting in place -- and enforcing -- network segmentation, bring-your-own-device policies and guest-access networks.
Network access control solutions can handle a big chunk of the work.
NAC solutions authenticate resources in the network, perform compliance checks, notify network vulnerability tools of new assets that need to be scanned and grant network access based on authentication or compliance. They’ll handle the heavy lifting as agencies automate authentication processes while checking a device's traits and vulnerabilities before it connects, which prohibits a deficient device from joining.
Traditional security methods -- antivirus software, firewalls, data-loss prevention techniques -- are effective when used appropriately, but they only react to malicious activity after an attack launches, which is often too late.
Agencies must invest in endpoint security so that they can proactively limit the number of entrances for malicious actors to access the network. The right endpoint security merges traditional methods with machine learning and artificial intelligence and utilizes the data gathered by the other security solutions deployed across the network.
When evaluating the endpoint options available, IT managers must understand how much data analysis is required. The new technologies must be able to work in conjunction with existing security solutions, including the NAC, to deeply examine and expedite the breakdown of the large swaths of behavioral data the network is gathering. The tools should be talking to each other -- and through their conversation, building out a protective narrative.
That story should include tense moments where systems come together to evaluate the proficiency and aim of suspect files as well as movie-like climaxes where they create and execute protective solutions to ward off threats.
Agencies bear the responsibility of making sure their borders are adequately protected. It is incumbent upon agencies to ensure they have the proper tools in place, that they are executing appropriate testing and that they are pushing the right pressure points to expose their own vulnerabilities. Then they can layer in NAC solutions and endpoint protections.
It all helps to protect the nation’s critical infrastructure from ever-expanding threats. But it needs to start with some uniform industry standards around the source code for IoT-connected devices.
It would be beneficial for software developers to follow a standard, similar to those of the International Standards Organization, that ensures proper checks and balances prior to any new software launch. Even simply assuring there’s a minimum amount of testing done before source code is released would provide some structure and help prevent many well-known vulnerabilities from being released. Agencies can create their own standards to determine the necessary security requirements a device needs before it can be connected to its network.
The conversation about security solutions have should have a happy ending, with threats neatly deflected regardless of the device where they originated.
Pete Burke is the security practice team lead at Force 3.