The Internet of Things (IoT) value proposition is based on scale: The more devices that a business puts out there to collect information, the more actionable insights it has. The catch is that this scale often comes at the expense of security.
Here’s why: To achieve scale, IoT devices need to be dirt cheap, with just enough processing power and memory to perform their tasks. That leaves little or nothing for hosting security mechanisms.
At CDW’s recent Security Executive Summit, Bruce Schneier, Resilient chief technology officer and special adviser to IBM Security, discussed how IoT requires businesses and other organizations to rethink their security strategies. He warned that IoT security is vulnerable to economic forces: To maximize their profits on devices that have to be inexpensive, many vendors won’t embed security into IoT products, nor will they perform research and development cycles to provide security patches.
The latter is a significant problem for IoT devices that will be deployed for a decade or even longer, such as in fleet vehicles and utility infrastructure. Without periodic patches, they’ll spend most of their service life as backdoors for hackers.
Security Cameras Enable Record DDoS Attack
The CDW Security Executive Summit was held on the heels of an attack that illustrates why IoT security needs to be taken seriously, now. On September 20, the website of security researcher Brian Krebs was among those targeted by a distributed denial of service (DDoS) attack that, at about 620 gigabits per second, was nearly twice as large as the previous record holder. And more recently, on October 21, another DDoS attack was waged on servers belonging to Dyn, a DNS service provider, causing disruptions at websites for big-name companies including Amazon, Netflix and Twitter.
With both of these events, the attackers achieved massive scale by reportedly using as many as 1 million security cameras, DVRs and other internet-connected devices. One manufacturer of the devices involved recommended updating firmware to thwart future attacks.
But that advice can’t be followed for any IoT device that is a firmware orphan because its manufacturer needed to preserve its margins. So, for the foreseeable future, organizations should develop IoT security strategies that focus on the network, where there are more — and proven — options for stopping attacks before they can spread to or from IoT devices.
Mind the Gap
IoT is just one example of how and why organizations and their IT solution providers must rethink their security strategies. Another CDW Security Executive Summit speaker, Martin Roesch, chief architect for Cisco’s Security Business Group, discussed that big-picture aspect, which includes what he calls the “security effectiveness gap.” Roesch sees complexity increasing faster than capabilities, and as that gap grows, so does the risk.
This gap isn’t due to a shortage of available security tools; as Roesch noted, there currently are more than 1,500 vendors that offer such tools. Instead, security architecture needs to evolve to enable the integration, consolidation and automation that tame complexity and, in turn, maximize security.
If all of this sounds like a lot to think — and worry — about, that’s because it is.
But it is also an important time to step back and take heart in the fact that the security conversations we are having today have evolved drastically from those that took place even five years ago. Looking around at the CDW Security Executive Summit audience, I was humbled by how many leaders within a broad range of companies took the time to listen to security experts so that they might return to their organizations with ideas on how to strengthen their security posture.
We look forward to assisting our clients across the many vertical markets we serve to solve their most pressing IT management and security challenges in new and innovative ways.
Please feel free to check out more information about our expertise at www.cdw.com/security.