The Internet of Things (IoT) is the connectivity
and networking of devices and other items with
network connectivity capability. This network
connectivity allows the devices (things) to
collect, transmit, analyze, and exchange data.
The devices include hardware, software, data,
and service and can be controlled and managed
remotely across an existing network
infrastructure. There are three main sectors
of use of IoT devices, enterprise, home, and
government, with the Enterprise Internet of
Things being the largest. Complex
distributed computing and applications will
result in a large number of devices connected to
the Internet. The ability to connect devices
with CPU, memory, and processing capabilities
are a risk to your organization as these devices
can perform actions, not just sense activity and
actions.
A variety of communication technologies can
be used to connect to devices to networks.
These include Wi-Fi, Wi-Fi Direct (peer to peer
without the need for a wireless access point),
Bluetooth low energy, Light-Fidelity (uses
light), wired Ethernet, and other technologies.
Internet of Things Risks
Many organizations adopt IoT devices without
fully recognizing privacy issues, risks
involved, security challenges, and regulatory
requirements. Traditional security
concepts (e.g. vulnerability management, patch
management, change management, etc.) that apply
to network infrastructures are not
sufficient and need additional controls when
implementing IoT devices.
To keep costs down, many IoT manufacturers do
not embed enhanced security features in their
devices. As such, they may be subject to
attacks on the device or the devices themselves
could be used to launch attacks on other devices
or the network.
IoT risks include:
- Denial of Service (DoS) - devices can be
used to launch denial of service attacks
against the network.
- Hardened - devices must be hardened and
security defaults reviewed/changed prior to
installation.
- Management - devices must be managed
similar to other network components.
- Obsolescence - with the rapid pace of
technological change, devices may need to be
replaced/upgraded on a regular basis.
Action Plan
Organizations should first prepare a formal
Risk
Assessment, Risk Analysis, and Risk
Treatment Plan for IoT devices. Knowing
the risks allows the organization to identify
preventive, detective, and corrective security
controls that mitigate or reduce risks to
acceptable levels. The Risk Assessment
also helps the organization implement defense in
depth with layers of security instead of single
points of failure.
Full disclosure is important and users should
be aware of any data sharing that occurs.
In addition, in the event of a security breach,
the organization must inform the individuals if
their personally identifiable information (PII)
is compromised.
Organizations should collect a minimum amount
of user data required. In addition, the
data should only be retained for the time period
required by the organization.
Formal and documented
policies ensure
a top down approach to managing
risks.
Security Blog menu
Tags: internet of things | IoT | internet of
things risks | iot risks
|