What is the IoT (Internet of things)? This is such a widely used term but often misunderstood. The Internet of Things is the fleet of devices with embedded electronics and Internet connectivity that are everywhere you look. That includes weather monitoring sensors, traffic lights, the GPS unit on your bicycle, your car, your smart-phone and countless other "things". These devices are literally everywhere. We are constantly swimming in a sea of things that have the ability to communicate with humans or with other devices.
What's the big deal?
A Google search will return enough results for a full month of reading so I won't bore you with how the IoT affects so many different people and industries. What I'd like to talk about is what usually happens when a device is continuously connected to the Internet. Well, what usually happens is that it gets scanned, probed, attacked, brute-forced, taken-over, DDOSed, shut down and/or destroyed.
"...remotely taking over live implants or devices
inside a live human body is entirely different...."
It's not a matter of "if" but a matter of "when" it will happen. As with everything else in this world of ours, context is everything. Hacking a billboard in a deserted area to display a cartoon, is not going to cause much trouble. Remotely taking over live implants or devices inside a live human body is entirely different.
Don't vendors and manufacturers know what they're doing?
There is a commonly held belief that many fundamentally disagree with: product manufacturers and vendors know what they are doing when it comes to security. After all they have big budgets, they're the experts, you can trust them. Yes they know how to build and sell products and devices. In fact, if their goal is to build and sell you a doll that can talk AND message with your daughter via the internet, they've done a fantastic job of it. And if that was all there was to it, we'd be fine.
Well, it's not and we're not.
The most powerful and skilled businesses on the planet have been unable to secure the devices they've been building and selling for the last few decades. What makes you believe, that's about to change now that we're building and selling even more of those things?
We're building them faster than we can audit them, assuming we care about auditing them in the first place. I can understand why some sectors don't pay too much attention to security. After all, if you're building "smart" dolls, you might not care too much about security. Although this doesn’t excuse your ignorance. If on the other hand, your devices and gadgets are used in critical infrastructure, then as a manufacturer or vendor, it is your absolute duty to make sure that your products do not present risks to humans or the planet. You should know better and there is no excuse.
Protect the Network
The BYOD movement is smack in the middle of this whole "thing". Employees and contractors will carry and use their own devices at work and then back home. Some argue that managing enterprise hardware and software is hard enough as it is, why create more headaches by adding foreign devices? Others argue that it is better to manage the process than to forbid devices and still have employees ignore the ban and use the devices at work anyway. With BYOD and the growing use of laptops, smartphones and tablets the business network perimeter is extended but do we know to where? Many organizations are struggling to balance both their employees’ needs and their security concerns.
Security Rules v. Habits
It's the old Rules VS Habits battle. Habits usually win. You can have all the rules that you can imagine; unless you train your staff in understanding why the rule is important and what can be gained by respecting it, your employees will not respect that specific rule and will bypass it or ignore it. That is the cold reality. It's like coming to a gunfight, armed with a stick. You might witness a miracle but then again...
“…unless you train your staff ……………..It's like
coming to a gunfight, armed with a stick”
Some system administrators live and die by what they expect the users they administrate to do. If the admin expects users to work without admin rights then they too do everything they can without admin rights. If a user is denied domain access with a mobile device then they too would follow the same rule.
In the main well designed BYOD policies work as long as the users don't have a problem with devices meeting or exceeding the requirements of the domain, security, filtering, antivirus, updates and importantly have no expectation of privacy. If users have information that's sensitive to the business and security of the business stored on the device or access they should understand that the device can be wiped or audited or possessed for investigation if it’s deemed necessary.
My say on BYOD is: same difference. Does that device have Internet connectivity? Yes? Then it has the potential of turning into a problem in seconds and should be considered armed, loaded and dangerous.
It does not matter what task the device was built to accomplish or what was or wasn't allowed. All that matters, is what it does, how it behaves, what tools it was built with and how it was built. By blurring the definition of the network perimeter, both physically and in terms of asset ownership BYOD has a significant impact on the traditional security model of protecting a companys network.
Security is not something that you can "perfect". Amazingly talented teams with huge budgets and world-renowned experts can still mess up a security implementation. Security is hard. So think hard about what devices you allow in your lives, offices, cities, homes because at the end of the day, it's your life.
You may be interested in this free guide which includes recommendations & advice on setting up or restructuring your network infrastructure.