IoT Security: Expert Q&AMarch 9, 2017 9:15 am ·
We live in a truly connected world. Not only does the average person check their phone for notifications once every 6 seconds, but connectivity within even everyday household items is becoming the norm. From your fridge to your light bulbs, the Internet of Things (IoT) is everywhere, and poses a unique threat to security.
This month, we sat down with security expert Jason Landers to talk about protection around the ever-present Internet of Things.
Experts Exchange: What is your current role and company?
Jason Landers: My name is Jason Landers and I am the Founder & CEO at Landrian Networks
EE: What are your qualifications and certifications in IoT protection?
JL: I have worked in the cyber security industry since before there was a dedicated cyber security industry at companies such as Intel, Microsoft, Mandiant, FireEye, and Malwarebytes. For example, at Intel I worked in what they used to call their Emerging Platforms Lab and we were developing “Next-generation secure wireless communications” for embedded and mobile devices. I have advised some of the largest companies in the world and a lot of more mid-size enterprises on cyber security best practices. I have also done technical integration work for a number of those same enterprises to make their products and technologies work better and more securely together.
EE: What do you see as some of the largest security risks facing smart technology?
JL: The “smart” label for starters. Non-technical consumers who purchase these technologies are not aware that what looks like a thermostat, for example, is actually a fully programmable computer. The industry markets smart devices as self-managing, zero-maintenance conveniences. The reality is that these are computers which require the same attention to security and software updates as any other. Without being made aware of that fact, though, consumers are not even given a chance to secure these. That puts them at a disadvantage against malware and malicious actors from the start. It also allows the vendors who sell smart devices to avoid maintaining them as often or for as long as they should because the end-users are never made aware of the risks.
EE: What devices involve more risk than others?
JL: Persistently connected devices which incorporate microphones and/or cameras are higher risk. This would include several models of Smart TVs, internet connected baby monitors, personal assistant devices such as Amazon’s Alexa, and similar devices. Once a device in your home with a microphone or camera becomes compromised the type of attacks that can be perpetrated escalate from mere data destruction or control over a single device into realms of personal privacy, extortion, financial fraud, and more.
EE: Any warnings or tips for consumers as they face this risk?
JL: Don’t buy a “smart” device just because of the “smart” label. Determine if you have a need or will benefited from it first over a traditional version of the same device. For example, if you are shopping for a new refrigerator and you see an internet-connected smart fridge next to an offline-only model, consider whether or not you actually will use those smart features. Once you have decided to buy a smart device the next important step is to research the track record of the vendor who produces it. This is one area where a lot of the time name-brands are safer than off-brands. This is not always the case, but the risk of a company stopping support or not providing software updates is much higher if they are new to the market.
EE: How do you think the desire for AI responsiveness has affected data protection protocols?
JL: Data protection protocols themselves are stronger than ever today. When the Snowden revelations exposed the true extent of domestic spying going on, a lot of companies in the industry took notice and reassessed what it takes to protect data. However, the proliferation of sensitive data and the sheer number of services and devices which have access to the data is increasingly a risk. There used to be only a couple of services that captured your home address or that required answers to security questions. Online banking, for example. Today, however, so many services are adding layers of validation in the name of more security which require us to divulge the same personal information in many more places. The macro result is that our data is less secure.
EE: What systems or products do you recommend for securing these gaps and threats, and why?
JL: For an enterprise I strongly recommend multi-factor authentication. You are also seeing this work its way into the consumer space as well. First in online banking and now a number of other services have opt-in, two-factor authentication. I strongly recommend taking advantage of these services which add security to your personal information and accounts by requiring you to input a pin that is texted to you in addition to knowing your password. This simple step can keep your information safe from hackers when any of those services become compromised in the future.
EE: How do you think technology is advancing to keep up with this risk?
JL: Security awareness about the risks as well as the methods that malicious actors use has already come a long way towards improving the situation in the past 5-10 years. For example, technology vendors used to treat the LAN as secure and trusted. The idea was that if another device was local to you then you must trust that device and there is no need for any security in between. Awareness, though, has shifted that attitude in recent years toward environments and defaults which don’t trust any other devices no matter where they are located. For that matter, we also see models now where the users also aren’t trusted. It has become too easy and too common for attackers to spear phish an email account within a corporation and through the always-trust model that assumed anything inside the local network was good. They wreak unchecked havoc far and wide.
EE: What steps or certifications would you recommend to tech professionals working to protect consumers from smart technology hacking?
JL: Certifications in networking technologies are very valuable. Cisco certifications remain among the best for their deep learning around network innerworkings. In order to defend a large environment against an attack you need to be aware of at least the fundamentals of how the operating systems work, and there are a lot of practitioners who have gone deep into that area which is a good thing. Less common, in my experience, are professionals who have stepped outside their comfort zone to learn the combination of network technologies with endpoint platform technologies. The most skilled adversaries exploit both as well as the unique way in which they come together, and you can best position your defense if you also have that more broad understanding.
Want more updates and content about Internet of Things? Follow the topic here!