IoT – More threatening than life changing, requires strong risk management

In my younger days I would bike around the neighborhood with the cable remote and change random people’s TV channels. It was good for a quick laugh to watch them shake the remote, or even the cable box itself, and just as they would be comfortably back to watching their favorite show, oops I’d change the channel again. Fast forward to the some of the first Internet of things (IoT) devices and a smart fridge, and my thoughts immediately shifted from drive-by channel changing, to drive-by ice-cubes being ejected across the kitchen. Although my first thoughts had been innocent, a few years after my ice-cube ejector theory, the scary articles of criminal activity emerged, like arson by smart toaster, credit card theft through smart fridge grocery app, and nanny cam infiltration. It can be difficult to tell when the device is functioning properly and when there is malicious activity. IoT devices and botnets have similar heuristic signatures because they are essentially dumb endpoints beaconing back to the main controller, “hey I am here, what job do you want me to do”.   

With all the media attention, homeowners and the general consumer are appropriately wary, but what about government agencies and organizations who are using smart devices? These devices may be in areas that are highly secure, where confidential or classified information is held and discussed. What happens when the smart TVs on the walls for continuous monitoring in secure operations centers and smart coffee makers and refrigerators in break rooms, where watercooler shop talk happens are conduits for adversaries to eavesdrop. Security now becomes a problem if devices can be hacked to listen, watch, or even burn down the building when a toast goes up in flames. Volume is expanded beyond the finite servers and desktops, to almost everything down to the thermostats in every room. Information overload was already a problem when we could fit all devices into IPv4 and now it’s grown exponentially that we need the 1028 times more addressable space of IPv6. How do we see through the noise and the false positives? Is it your coffeemaker trying to find your phone to tell it “time to make the coffee”, or is malware as part of a botnet that is asking for the next trojan dropper rootkit app? The more IoT we have the harder it is to identify the threat from the benign. For security professionals managing large networks, with a host of IoT, it’s like trying to distinguish the one conversation that matters when you’re standing in a stadium of people all talking to you at the same time.  

The possibilities for misuse of IoT is not science fiction or something organizations have not already struggled with.  Not too long ago a secure facility was in crisis mode because the security department had picked up a signal that they could not associate with any known device on the network. The security investigation began with a specialized forensics investigation team. They setup in the parking-lot with a laptop and attempted to sniff network traffic for malicious activity. Inside, the network team was already trying to block broadcasting. Entire network segments were being shut down as they tried to identify the origination point and contain any outbreak. Interviews were ongoing, probing for any planned or unplanned changes to the network that might have had an impact. Research efforts were being conducted to assess whether this could be a new or prolific advanced persistent threat that was specifically targeting the organization or its data. The conclusion? After several hours of investigating they discovered a smart coffee maker was broadcasting a desire to connect to a phone. It wanted to know when it should start brewing.   

IoT devices are just the latest addition to an already noisy network. This begs the question we touched on before; how can you manage the overload of information to identify threats? It is impossible to filter the level of information coming into security operations centers without incident management and vulnerability response applications working in unison. Even when security analysts adopt tools to help prioritize the information, they are still siloed from IT operations. The manual handoffs add critical time to investigations and remediation activities, unless they adopt an enterprise platform for visibility and cross-functional automation. It is equally difficult to monitor for compliance violations or risks that could be a threat to the organization without enterprise policy and compliance as part of a formal integrated risk management product. Violations could include, installing smart devices in areas that should be free of them, or opening ports that have not been approved. The use of a Risk Management Framework such as NIST RMF or CSF puts a formal process in place to reduce the possibility of actions, or inactions, that could increase the vulnerability of an organization.

For the organization to fully manage risk, a single holistic platform allows for continuous visibility into: 

• What is on the network. 
• Who is on the network. 
• What is happening on the network. 
• How is the network protected. 

The new ServiceNow Continuous Authorization and Monitoring (CAM) application can help you automate NIST RMF and operationalize other standards and risk frameworks. Built on the ServiceNow platform it streamlines and simplifies the process of managing risk and provides top down and bottom visibility.  Visibility at the enterprise level down to the IT security risks that support the mission. It brings the mission and enterprise objectives into a rapid accreditation cycle by defining the enterprise and architecture oversight, policies, common controls, and continuous inheritance visibility. Rapid accreditation is not only possible, it’s here 

We are in a world where IoT gives us so many options, however based on Occam’s razor the simplest solution is often the best. When we don’t need things like a smart TV in a Cyber-Soc, physically rip out the camera and microphone. Avoid smart device purchases when you are only saying “that’s cool” about features that are not secure. Invest in Artificial Intelligence (AI) that can focus your attention on anomalous activity and prioritize based on your organizations business needs and mission. And invest in solutions that allow you to cut through the noise, respond to risk more quickly, bring vital systems online when you need them most, and adapt to changing times. 

Read more about Continuous Authorization and Monitoring for NIST RMF or visit our ServiceNow Integrated Risk Management webpage for more information