A reliance on passwords to prevent attackers from accessing systems, devices, and applications is outdated and ineffective. Attackers typically count on users implementing password-based security protocols, which opens the door to attacks — such as Trojan viruses, phishing, and man-in-the-middle — that take advantage of vulnerabilities. Attackers have evolved from simply wanting to achieve notoriety to becoming sophisticated thieves who steal personally identifiable information (PII) — such as financial and health care records and account numbers — to targeting the rapidly developing Internet of Things (IoT) market, where a hack becomes more personal and potentially life-threatening.
In this slideshow, Phil Montgomery, chief product officer at Identiv, will provide five recommendations to mitigate risk and maintain a strong security posture in this ever-growing connected world.
Mitigating IoT Risks
Click through for five recommendations to mitigate IoT risk and maintain a strong security posture in this ever-growing connected world, as identified by Phil Montgomery, chief product officer at Identiv.
IoT Security Vulnerability
In 15 years, there will be many instances of IoT that we haven’t even thought of yet. In fact, this is quite likely in a world that will have 10 to 100 times more Internet-connected devices than there are connected humans. Hundreds of billions of machines will be sensing, processing, and transmitting data without direct human control or intervention.
Even today, we’re not successfully securing connected devices from attacks. Point-of-sale machines, elevators, HVAC systems, light-rail transit, and commercial aircraft have all become connected by converged IP-based networks, and now share a common trait: They’ve all been hacked.
Step 1: Manage Security at Every Level of IoT
Former RSA CTO Deepak Taneja has called the lack of IoT security a “time bomb.” During a panel discussion at the TIE Startup Con panel in May 2015, Taneja said that technology is advancing at a rate that’s outstripping enterprises’ ability to secure internal and cloud resources, and then along comes IoT in the form of all sorts of networked sensors and gadgets. “Organizations aren’t spending that much on security. It’s increasing, but it’s not enough and IoT only makes it worse. So it is a time bomb.“
Take a hospital as an example. Virtually every medical device — from the bedside machine monitoring a patient’s vital signs to MRI machines — is connected to a network in order to effectively communicate, share data, and improve collaboration among medical personnel. Very few of these have any security technologies to protect them from attackers either stealing information or easily taking control of these devices.
As the connected world grows, each layer of technology needs to incorporate identity to secure the object, its access, and every transaction. Once we start to formulate a plan for each disconnected “thing” morphing into an intelligent and connected item, it becomes obvious that password security is obsolete and there is a need for a technology that is compatible, open, scalable, and proven trustworthy.
Step 2: Protect the Identity of Objects and Users
Firewalls, gates, doors, and fences no longer guard our security. The new perimeter is our identity. We need to secure this identity to prevent attackers from accessing our home security cameras and stealing our photo collections, bank statements, and medical records.
Identity protection must be embedded into the base platform on which our next-generation technology is being built, so that we can establish trust in day-to-day items and interact with our connected world confidently.
Step 3: Eliminate the Use of Passwords
According to the Open Web Application Security Project (OWASP), a worldwide not-for-profit charitable organization focused on improving the security of software, “attackers use weak passwords, insecure password recovery mechanisms, poorly protected credentials or lack of granular access control to access a particular interface.“
As the connected world expands, each layer of technology needs to incorporate identity to secure the object and its access.
Securing IoT requires a technology that is compatible with all devices, especially considering that some existing “dumb” devices can be made “intelligent,” creating a mix of old and new machines running on disparate systems and technologies that must communicate.
Security must be open, scalable, and proven trustworthy. The solution lies in this equation:
Card + Cert + PIN
Step 4: Implement Multifactor Authentication
According to OWASP, authentication is not sufficient when weak passwords are used or are poorly protected. However, insufficient authentication/authorization is common because organizations assume that interfaces will only be exposed to users on internal networks and not to external users on other networks.
The solution is to implement multifactor authentication, which significantly strengthens the authentication process since it aims to remove the password. This eliminates many pervasive methods attackers commonly and successfully execute.
How it works: take something you have (e.g., a smart card provisioned with a digital certificate) and something you know (your PIN) to gain access to the data you need — or buildings and networks, for that matter — while ensuring that the organizations you interact with are secure.
Step 5: Protect Identities, Not Gateways
Digital certificates are the proven means of securing an identity. Traditionally a complex and expensive system, certificates are now available from many vendors that provide them to organizations more cost-effectively via the cloud.
A cloud-based service can deliver a company-owned certificate, an Internet-based certificate, or a government-generated certificate into any form of credential that will protect an identity based on whichever standard is adopted by the user.
An identity can be used across different environments using the same technology. The significant advantage to this method is that it removes the proliferation of passwords, duplication of identities, and counterfeiting of goods. A digital certificate cannot be copied, altered, or transplanted from a credential.
From protecting your log-on across multiple sites to encrypting your email and hard disk, embrace multifactor authentication to avoid being the next victim.