Below is an essay I wrote on connected devices, commissioned by the internet security firm CybelAngel. It was written to be published on social media.
Connected Devices: The Promising Puppies Of Data Security
If IT systems were dogs, conventional web servers would be Labrador Retrievers: friendly, ubiquitous, and usually safe. Once in a while one will get skunked by a DDOS attack, or pick up a malware tick, but with good security software and protocols, they’ll stay healthy and fetch HTTP tennis balls all day long.
Connected devices, such as Network Attached Storage devices and “smart” devices on the Internet of Things, are a different breed. When it comes to data security, they’re more like Vallhund puppies: young hounds that can leak data all over the carpet.
Connected devices are smaller than the web servers sysadmins are used to protecting, with most devices running lightweight variants of FreeBSD and Linux. They’re also new on the scene, so engineers haven’t yet learned how to housebreak them.
With proper care and training, can connected devices become reliable companions? Yes they can—read on to learn more.
NAS devices: The problem pups in enterprise IT
NAS devices are like the six month old pup you got from a neighbor who never bothered to train it: they’ve been around a while, but they still present problems. These devices enable IT operations to keep up with data storage needs that are growing exponentially, but they also comprise the biggest data leak danger that enterprises face.
Most enterprise data breaches these days involve NAS devices. The U.S. Air Force experienced this firsthand, when a NAS device used by one of its higher-ranking officers leaked a great deal of top secret data onto the internet. This data has been called the “holy grail” for foreign spies, and there were several hours during which those spies could have accessed it.
The engineers at one security firm have been tracking NAS data leak dangers, and they’ve seen them more than double in the past five years. They’ve also seen risks from third-party partners increasing. For example, after detecting a customer’s sensitive files on a partner’s NAS device, the engineers later saw those files used to try and hack the customer’s servers.
IoT devices: still need to be house-trained
IoT devices are like six week old puppies fresh out of the basket: little bundles of trouble right now, but they have the potential to become useful working dogs. That potential is why the IoT “breed” is becoming more popular, with one study projecting that the number of IoT connections worldwide will more than double in the next four years.
The better the use case for an IoT device, the greater the data leak danger it poses. A car manufacturer, for example, can use embedded IoT devices to fix problems more quickly than they can with recalls, but they also run the risk of having their cars leak sensitive data. One researcher saw this when he accessed the location data of a car he’d sold years before.
Similarly, medical device manufacturers can use firmware updates to fix some medical problems less invasively than doctors could with surgery. But they also run the risk of having their IoT-enabled devices leak data, which could have happened when a vulnerability in heart pacemakers made it possible for hackers to steal data from them.
In 2019, there were three times as many attacks on IoT devices as there were the previous year, so securing them is becoming increasingly important.
No house-training program currently exists
How do we “house train” these connected devices? Security standards bodies are currently figuring that out. While there are no current standards for connected devices, US Federal standards are in the works, and NIST guidelines have been established that are likely to become private sector standards.
Other organizations have also created IoT security guidelines. Intended to help engineers employ devices that 1) allow only approved connections, 2) verify their secure status, and 3) authenticate valid users, the guidelines from the IoT Security Foundation, GSMA, and ETSI are worth reviewing.
Bringing these promising puppies to heel
While there’s no official regimen in place to keep connected devices from leaking data, there are things that their owners can do to mitigate the dangers. Engineers whose work involves securing these devices recommend that an enterprise:
- Detect leaks quickly. No connected device can be secured completely from all threats, so data leaks are inevitable. When one occurs, it’s important to recognize it quickly, so that damage can be reduced or avoided.
- Scan comprehensively. Just as connected devices require security engineers to monitor more than server rooms, their tools must also scan more than the public internet. Scanning the deep/dark webs for data leaks is a good idea.
- Validate all alerts. Make sure that the security alerts your IT staff receives from connected devices are valid. The more false positives they get, the more alerts they’ll discount or ignore, and the more data leaks will go unaddressed.
By following these recommendations, enterprises that use connected devices can employ these promising puppies safely, while developing them into stalwart working dogs that do some very useful things.