The Problem with Security & What You Can Do About It

By Paula Bernier, Executive Editor, TMC  |  October 13, 2015

Did you hear about the Target (News - Alert) point of sale attack? How about the woman who discovered a stranger was using her Foscam baby monitoring system to talk to her young child?

The Target PoS hack is one of the larger and higher profile security breaches of late. The Foscam example is among the more bizarre ones. What they have in common is that both point to the frequent and widespread instance of security breaches.

Indeed, the kind of breach Target experienced is common now, notes Kenneth Lowe, director of business development at Gemalto (News - Alert). Target had outsourced the management of its point of sale system to a service provider, and the hackers used a key to hack that service provider’s network, explains Vince Rico, business developer manager of the technology partner program at Axis (News - Alert) Communications.

In that case, the hackers came in through the network and not through the device. But security holes can exist in a lot of places within the network or at the endpoint. That’s why organizations and their suppliers that are implementing IoT solutions should take a holistic approach to addressing security – rather than overlooking security until something bad happens.

Assessing the risk involved should the asset or data be hacked is the best way to decide on the appropriate level and type of security, indicates Tim Hahn, distinguished engineer at IBM, noting that he uses a different quality of lock on his home than he would in a bank.

“We will never thwart all the attacks,” he says, so it’s best to understand there will always be another attack, and to prepare for it in the most appropriate way possible.

There’s no silver bullet when it comes to security, of course, but there are some basic steps network infrastructure suppliers and their customers can take to allow for more secure solutions. Some of them are as simple as ensuring that manufacturers of endpoints like cameras don’t turn off the security settings on these devices so they are not secure out of the box.

Speaking of endpoints that are not secure out of the box, Clay Melugin, senior partner at RMAC Technology Partners, says most Nest devices have already been hacked, especially if they are purchased from Amazon. Many connected devices are powered by chips manufactured offshore, he adds, and concern about that has become so elevated that there is now a San Diego company that tests such chips to make sure nothing was added to them in the process.

Using crypto is another way to be more secure, Melugin suggests. If you put a key in crypto, he says, the hacker doesn’t find the private key. With crypto there’s matching encryption on the server side, so every device it talks to it authenticates.

Organizations that want to see how their solutions would stand up against hackers can have companies such as Dell (News - Alert) do penetration tests for them. This is essentially an organized hack in which the tester hits your network with a bunch of packets to see how the network reacts and to reveal holes.

However, Dan Holden (News - Alert), director of Arbor Networks’ Security Engineering and Response Team, questions the value of penetration testing, which he indicates is often used to expose vulnerabilities, but isn’t always followed by next steps to address security vulnerabilities.

Matt Ramsay, vice president of business development at Accelerated Concepts, believes it’s important to bring security to the endpoint, or as close to the endpoint as you can.

Walling off is not the answer, he says, but layering can help. If you want to protect a house you can get fence, can get a dog, put bars on the windows, and more – the point is there are multiple layers of protection. The same is true with networks and endpoints.

“It’s more than just bringing security to the appliance,” he says.

“You can’t always control you network,” he adds, so take the network as close as you can to the endpoint, and take a layered approach in the network.

Melugin says that a recent 60 Minutes report featured a security expert showing how a hacker was able to read Gmail before it even got sent.

“It’s happening in the network,” he says.

All of the above points to the potential for the Internet of Things to mess with not only individual people or businesses, but to the economy of an entire country, or the world, said Holden. The more connected things are out there, the larger the attack surface, he and some of the sources mentioned above, noted. That, said Holden, opens the potential for a hacker to apply the brakes on not just a single Jeep Cherokee, but on large groups of vehicles across the country.

Edited by Kyle Piscioniere