Develop. Deploy. Defend.
By Davide Ricci
The factory floor is geting a makeover with intelligent connected devices. The server room is no longer a stuffy place. A majority of enterprises are strategically on the Internet of Things (IoT) path, and the developer ecosystem is rapidly changing as well. It seems we’re well on the way to reach industry forecast of 200 billion connected devices by 2020?
Devices will continue to grow in volume and variety, but the reality is that many organizations haven’t finished assessing how the IoT adoption will impact their business from strategy to execution. Many of their product and development teams have created pretty impressive ideas about sensors, connectivity and data, and tapping to a rich application ecosystem. That will improve productivity, reduce cost, and carry the organization into new opportunities. But what happens to these awesome devices once deployed and what sort of upkeep is needed?
Enter the update cadence: regular updates and device maintenance ensures that devices and apps are always up to date. What if maintenance updates are not the only thing that they encounter while online? After all, all devices are connected to a network.
Enter man-in-the-middle attack concept: one example is the possibility to decrypt and modify traffic from a device to a server. Many of other examples are captured in current vulnerabilities that get reported each day. Statistics show they continue to be more widespread than ever before. Even monitoring them is overwhelming – see CVE announcement.
The growth of the IoT is adding the dangerous dimension in which all connected devices can now be hacked, have their information stolen, and even be remotely controlled.
So, will IoT devices get a happily ever after ending?
Happily ever after is possible, but an additional consideration is needed – a mechanism to keep devices defended. New built-in security designs are not enough. They should be complemented by ongoing and automatic defense measures for the devices that are deployed in the field.
The National Institute of Standards and Technology along with several other Government agencies have been specifically positioned to help fight and prevent cybercrime using strict methodologies and metrics. This goes beyond built-in security and addresses new exploits showing new breaches in the code, that a previous build-in design could not have anticipated.
Manufacturers must re-think their security strategy and concentrate not only on system level reinforcing, but also on agile integration of new vulnerability patches. This is a more flexible approach for ongoing security and patching. If manufacturers don’t adopt an always-updated system, they have no guarantee that their original built-in security will hold up against the latest exploits that are being created and uncovered every day.
CVE has become the de facto industry standard providing a standardized identifier for a given vulnerability or exposure. Using CVE identifiers, the information about a vulnerability can be easily correlated to its respective security patch, availability, or corresponding technologies. That makes it vital for the open source software world.
“We especially expect to see exploits of newly discovered vulnerabilities in areas beyond Windows. Increasingly, embedded systems, the Internet of Things, and infrastructure software will become the targets for advanced threats and zero-day attacks. These include variants of Unix, popular smartphone platforms, IoT specific systems (such as Tizen and Project Brillo), and underlying foundation components and libraries (Glibc, OpenSSL, etc.).”
McAfee Labs 2016 Threats Predictions
And there are a lot of them.
An effective defense is to update the software on the device once the industry identifies a security flaw. Open source software can be an advantage for security teams because you can have all kinds of researchers such as those in Government agencies and dedicated mailing lists with the purpose of finding holes in code. This requires systems to be monitored, assessed, and patched more effectively and efficiently.
Monitoring increases your odds of being well prepared against the next attack. Often vulnerabilities are uncovered in select circles, announced on mailing lists and embargoed. This gives vendors the time they need to protect themselves.
Challenges implementing a continuous monitoring strategy
While it is very important to monitor vulnerabilities, it’s not always glamorous. Current research shows that developers are always excited to work on the next emerging technology, but not necessarily updating the base platform. However, it’s important that someone does this monitoring. A specialized team can do it more efficiently – someone who proactively monitors and identifies weaknesses before they become problems. Someone who is plugged into all relevant mailing lists, public and private, and aware of all the cool and up-to-date things happening in open source like the fact that Yocto Project* v2.1, releasing this month will include a feature called swupd to help identify “good guy” firmware, or the Core Infrastructure Initiative from the Linux Foundation. Someone with the skills to solve security issues. That is the right partner for a happily ever after ending. See for yourself what awaits your devices once deployed, or hear us talk about it in this webinar. Otherwise, be prepared for what might await the DIY alternative.