The Internet of things (IoT) have taken the world by storm, quickly evolving in recent years to offer society unprecedented levels of interconnectedness and effi-

ciency. For decades, technologists have been developing prod-ucts that offered some level of connectivity to the Internet, but today the landscape is changing faster than our ability to keep apace. IoT technology is both impressive and useful, of-fering a wide range of benefits for consumers and businesses. With these benefits come equal risks, many of which we can’t fully understand, given how rapidly new devices are coming online. For securi ty professionals, it is critical to acknowl-edge the risks and begin to evaluate the many ways in which these devices may be exploited by hackers.This article will discuss how IoT has evolved over the last two decades and the security risks that have emerged as a result. It will include a discussion of the key problems with IoT de-velopment and regulation, and the most pressing challenges security professionals need to consider when developing pro-grams that include IoT security. The article also shares pro-active steps organizations can take to establish or strengthen these programs. IoT first began to take shape in the late 1990s when Kevin Ashton, a  technology pioneer who co-founded the Auto-ID Center at MIT, coined the phrase “the Internet of Things” in a presentation to Procter & Gamble in 1999. Ashton defined the concept as, “today computers—and, therefore, the Internet—are almost wholly dependent on human beings for informa-tion” [1]. By June of the following year, LG had launched the first Internet-connected refrigerator, and Cisco deemed that in 2008 IoT was born at “the point in time when more ‘things

or objects’ were connected to the Internet than people.” Cisco cited that by 2010, with the growth of smartphones and tab-lets, the number of devices connected to the Internet was 12.5 billion compared to a human population of 6.8 billion [2]. The expansion of networking capabilities, emergence of advanced analytics tools, and cloud growth have all contributed to IoT’s proliferation around the world.

IoT momentum and riskGartner estimated that 5.5 million new connected devices came online each day in 2016 and that $235 billion was spent on related services, most of which were professional services [3]. The growth opportunity around the IoT space is massive, providing efficiencies for businesses and our personal lives and new ways for businesses to generate revenue. Because of the many benefits, organizations are quickly integrating these devices into their business operations, and according to a recent study 85 percent of organizations are considering, exploring or implementing an IoT strategy [4]. However, from a security perspective, this explosion should be considered a red flag because IoT hardware and software are not built with security as a priority. Largely, once these devices are connected, they are simply left alone to function without any management, patching, or updating. Devices are coming online so quickly that most security profession-als can hardly grasp the range of risks, let alone how to arm against them. And in 2015, there was a 458 percent increase in the number of times hackers searched Internet of things connections for vulnerabilities [5]. Most organizations—one survey cited 88 percent—lack full confidence in the security

This article will discuss how the Internet of things has evolved over the last two decades and the security risks that have emerged as a result. It will include a discussion of the key problems with IoT development and regulation and the most pressing challenges security professionals need to consider when developing programs that include IoT security.

By Anthony J. Ferrante

Battening Down for the Rising Tide of IoT Risks

20 – ISSA Journal | August 2017

ISSA DEVELOPING AND CONNECTING CYBERSECURITY LEADERS GLOBALLY

©2017 ISSA • www.issa.org • editor@issa.org • Permission for author use only.

cute attacks—as well as the existence of IoT devices within the organization’s firewall. This effort will help identify potential vulnerabilities in existing processes and tech-nology and should involve the steps recommended by the Compliance Governance & Oversight Council (CGOC), including user interviews, system testing, creation of a heat map of sensitive data, and strategic planning [11]. An extensive risk assessment will be the starting point for any efforts to put a wall around internal and external IoT threats.

• Build an intelligence repository: Each time IoT devices are used in an attack, experts are getting smarter about how to defend against them. An organization that keeps a repository of this intelligence, and actively tracks activity, will be ahead of the game in knowing which security mea-sures must be put in place. Studying attacks and evaluating cyber threat indicators that have been identified will serve as a meaningful foundation for the intelligence repository. Working with federal authorities can help with this, and the FBI has a Cyber Action Team that is dedicated to inci-dent response and supporting intelligence activities with companies that have experienced a breach [12].

• Secure devices: Following security best practices, includ-ing keeping systems up to date and patched is critical. Air gapping IoT devices, or data repositories that contain highly sensitive data, from the rest of the network is an-other way to build in extra protection against inherent vulnerabilities.

of their connected devices and that of their business partners [6]. Hackers are acutely aware of the opportunity IoT devices open up for them to wreak havoc and steal data. Another challenge is the fact that these devices come with out-of-the-box default settings that are not typically changed when they are put into use. A manufacturer may distribute 100 million devices around the world, all of which have the same default username and password. It doesn’t take much for a hacker to find those default settings and use them to tap into and control an army of devices from one computer. They can be exploited for the sensitive data they contain, or con-trolled to launch a cyber attack on individuals or business-es. We’ve seen this already a number of times: the hijacking of nanny-cameras or baby monitors come to mind for many people. One example was the Trendnet webcam incident in January 2012, in which hackers posted live feeds online from nearly 700 private cameras [7]. But over the last year, there have been much more extensive attacks that have severely im-pacted businesses. In October of last year, hackers launched the Mirai botnet, which has become widely available across the hacker com-munity [8], to execute a massive distributed denial-of-ser-vice (DDoS) attack on Internet domain name server (DNS) provider Dyn. Many mainstream websites, including Twitter and Spotify, were impacted. Aside from the sheer scale, what was unique about this attack was that Mirai infiltrated con-nected household devices, such as DVRs and cameras, as the platforms for sending a slew of messages used to clog Dyn’s servers. Intelligence was shared across the security commu-nity that Mirai was also suspected as the cause for North Ko-rea’s Internet disruption in June 2017. Recently, researchers at Radware identified a series of permanent denial-of-service (PDoS) attacks, implemented through the rapidly evolving BrickerBot, designed to comprise IoT devices and corrupt their storage [9]. At the last evaluation, the attacks were wide-reaching across the globe, with no specific region as a primary target.

Riding the tidal waveAwareness of and appreciation for this issue is headed in the right direction, as 96 percent of IT professionals in one survey said they expect to see an increase in cyber attacks on indus-trial IoT devices in the coming year [10]. However, as noted above, this awareness doesn’t always translate into action, and most security teams are simply uncertain of how to keep up with the rapid changes in devices and new vulnerabilities. Once awareness is established, it is important to recognize the scope and scale at which these devices are coming online and be prepared to take action accordingly. In-house security professionals can take a handful of steps to proactively address the emerging challenges brought forth by IoT. These include the following:• Risk assessment: Working with cross-functional teams,

security stakeholders can begin to take stock of the broad IoT landscape—and existing bots that may be used to exe- IT’S GOOD FOR BUSINESS

Advertise Strategically

Contact Monique dela Cruz mdelacruz@issa.org

Place your advertising strategically to surround our monthly themes

with your organization’s products and services...

SEPTEMBERHealth Care

OCTOBERAddressing Malware

NOVEMBERCryptography and Quantum Computing

DECEMBERSocial Media, Gaming, and Security

August 2017 | ISSA Journal – 21

Battening Down for the Rising Tide of IoT Risks | Anthony J. Ferrante

©2017 ISSA • www.issa.org • editor@issa.org • Permission for author use only.

Banafa has written “Blockchain’s big advantage is that it’s public. Everyone participating can see the blocks and the transactions stored in them. However, that  doesn’t mean everyone can see the actual content of a transaction; that information is protected by a private key…A block-chain is decentralized, so no single authority can approve transactions or set specific rules to have transactions ac-cepted” [13]. The thinking is that a public Ledger of Things enabled by blockchain would help to organize, secure, and share the automated collection of data from billions of de-vices [14].

• Develop policy: The wave of practices and changes around bring-your-own-device (BYOD) workplaces over recent years can serve as a starting point for developing strate-gies around IoT devices. The two areas share some similar risks, and generally start with implementing sound infor-mation governance practices that put structure and policy around an organization’s entire data landscape.

In addition to technology and practical considerations, security professionals should also be mindful of emerging policy that may impact IoT usage and security. The reality is that it is very easy to create these types of devices, and currently no regulations apply. The Mirai attacks mentioned above sparked a handful of high-level policy discussions around how the manufacture and distribution of IoT devices being imported into the US may be governed to ensure stronger protection against hackers. Some have proposed standards to require built-in safeguards based on knowledge around how existing vulnerabilities have been exploited to date. However, this is challenging, given the global nature of this issue and that even strong standards in the US would not protect against the threats of attacks using devices from unregulated regions. Some say international law may be helpful, but that type of agreement is not expected in the foreseeable future. Standards groups are also coming on the scene to better connect emerging software, which could in theory provide a foundation for developing stronger global security against IoT-related threats. The Linux Foundation has established the AllSeen Alliance and its AllJoyn Framework to accel-erate connectivity across the IoT universe. AllSeen recently merged with the Open Connectivity Foundation to strength-en the global connected ecosystem. These types of standards organizations and software development frameworks are bringing together top minds to address challenges and op-portunities and may help solve some of the IoT security chal-lenges. Regardless, these groups further underscore the level of attention the international community is now paying to this emerging technology sector.

ConclusionToday, no comprehensive technology exists to protect against IoT risk, leaving security teams to formulate unique solu-tions. Each organization’s needs are different and impacted by a handful of parameters including size of the organization, EDITOR@ISSA.ORG  •  WWW.ISSA.ORG

ISSA Journal 2017 Calendar

JANUARY Best of 2016

FEBRUARY Legal, Privacy, Regulation, Ethics

MARCH Internet of Things

APRIL New Technologies in Security

MAYThe Cloud

JUNE Big Data/Machine Learning/Adaptive Systems

JULYCybersecurity in World Politics

AUGUSTDisruptive Technologies

SEPTEMBERHealth Care

OCTOBERAddressing MalwareEditorial Deadline 8/22/17

NOVEMBERCryptography and Quantum Computing

Editorial Deadline 9/22/17

DECEMBERSocial Media, Gaming, and Security

Editorial Deadline 10/22/17You are invited to share your expertise with the association

and submit an article. Published authors are eligible for CPE credits. For theme descriptions,

visit www.issa.org/?CallforArticles.

Past Issues – digital versions: click the download link: ISSA.org => Learn => Journal

• Leverage innovation: Emerging technology can also be leveraged to help build more security around IoT. Block-chain is one technology that some experts are looking at as a possible solution to IoT security. IoT expert Ahmed

Stop and Take a Look at our

NEW EDUCATION LINEUP!

Earn up to 30 CPEs

Produced in collaboration with

FREE Expo Floor

Education

Trending Topics

Innovative Formats

180+ Sessions

securityexpo.org/ISSARegister by August 11 and SAVE!

Active Shooter

Business Operations

Crime/Loss Prevention

Critical Infrastructure

Cyber Security

Current Events

ESRM

Information Security

Terrorism

Workplace Violence

...just to name a few!

16 Education Tracks Including:

22 – ISSA Journal | August 2017

Battening Down for the Rising Tide of IoT Risks | Anthony J. Ferrante

©2017 ISSA • www.issa.org • editor@issa.org • Permission for author use only.

the industry it is in, whether or not it operates internation-ally, and the sophistication of its information management programs. IoT has introduced unprecedented challenges, and professionals should expect that many of the problems are only going to get worse. Botnets like Mirai and BrickerBot will continue to evolve, and new bots will be released into the hacker underworld. Taking time to identify and mitigate risk and establish best practices are meaningful steps that can be taken despite the many uncertainties. Further, security pro-fessionals cannot underestimate the value of the intelligence and knowledge present among the people within the organi-zation and how those insights can be relied upon to build ho-listic security regardless of the new obstacles on the horizon.

References1. Kevin Ashton, “That ‘Internet of Things’ Thing: In the Real

World, Things Matter More Than Ideas,” RFID Jour-nal, June 22, 2009, http://www.rfidjournal.com/articles/view?4986.

2. Dave Evans, “The Internet of Things: How the Next Evolu-tion of the Internet Is Changing Everything,” Cisco, April 2011, http://www.cisco.com/c/dam/en_us/about/ac79/docs/innov/IoT_IBSG_0411FINAL.pdf.

3. Gartner, Inc., “Gartner Says 6.4 Billion Connected “Things” Will Be in Use in 2016, Up 30 Percent from 2015,” Gartner Newsroom, November 10, 2015, http://www.gartner.com/newsroom/id/3165317.

4. AT&T, “IoT Evolution: Security Trails Deployment,” AT&T Cybersecurity Insights, October 2015, https://www.busi-ness.att.com/cybersecurity/archives/v2/iot/.

5. AT&T, “The CEO’s Guide to Data Security: Protect Your Data through Innovation,” AT&T Cybersecurity Insights, October 2016, https://www.business.att.com/cybersecurity/.

6. AT&T, “IoT Evolution: Security Trails Deployment,” AT&T Cybersecurity Insights, October 2015, https://www.busi-ness.att.com/cybersecurity/archives/v2/iot/.

7. Richard Adhikari, “Webcam Maker Takes FTC’s Heat for Internet-of-Things Security Failure,” TechNewsWorld, September 5, 2013, http://www.technewsworld.com/sto-ry/78891.html.

8. Symantec Security Response, “Mirai: What you Need to Know about the Botnet Behind Recent Major DDoS Attacks,” Symantec Official Blog, October 27 2016, https://

www.symantec.com/connect/blogs/mirai-what-you-need-know-about-botnet-behind-recent-major-ddos-attacks.

9. Radware, “BrickerBot PDoS Attack: Back with a Ven-geance,” Radware Threat Advisories and Attack Reports, April 21, 2017, https://security.radware.com/ddos-threats-attacks/brickerbot-pdos-back-with-vengeance/.

10. Ray Lapena, “More Than 90% of IT Pros Expect More At-tacks, Risk, and Vulnerability with IIoT in 2017,” Tripwire, March 13, 2017, https://www.tripwire.com/state-of-se-curity/featured/90-pros-expect-attacks-risk-vulnerabili-ty-iiot-2017/.

11. FTI Technology, “Auditing Organizational Risk and Imple-menting Effective Programs,” FTI Technology Information Governance, October 6, 2016, http://static.ftitechnology.com/docs/toolkits/information-governance-assessment.pdf.

12. FBI, “The Cyber Action Team: Rapidly Responding to Major Computer Intrusions,” FBI News, March 4, 2015, https://www.fbi.gov/news/stories/the-cyber-action-team.

13. Ahmed Banafa, “A Secure Model of IoT with Block-chain,” OpenMind, December 21, 2016, https://www.bbvaopenmind.com/en/a-secure-model-of-iot-with-blockchain/?utm_source=views&utm_medium=arti-cle06&utm_campaign=MITcompany&utm_content=bana-fa-jan07.

14. Jeffrey D. Neuburger and Jonathan P. Mollod, “Block-chain: The Key to True Cybersecurity?,” New York Law Journal, June 5, 2017, http://www.newyorklawjournal.com/id=1202788075067?kw=Blockchain: The Key to True Cybersecurity?et=editorial&bu=New York Law Jour-nal&cn=20170605&src=EMC-Email&pt=Special Re-port&slreturn=20170619164151.

About the AuthorAnthony J. Ferrante is a Senior Managing Director at FTI Consulting and is based in Washington, DC, in the Global Risk & Inves-tigations Practice (GRIP) of the Forensic & Litigation Consulting segment. He served as Director for Cyber Incident Response at the US National Secu-rity Council at the White House, where he coordinated US re-sponse to unfolding domestic and international cybersecurity crises and issues. He may be reached at ajf@fticonsulting.com.

24 – ISSA Journal | August 2017

Battening Down for the Rising Tide of IoT Risks | Anthony J. Ferrante

ISSA Special Interest Groups

Special Interest Groups — Join Today! — It’s Free!ISSA.org => Learn => Special Interest Groups

Security AwarenessSharing knowledge, experience, and methodologies regarding IT security education, awareness and training programs.

Women in SecurityConnecting the world, one cybersecurity practitioner at a time; developing women leaders globally; building a stronger cybersecurity community fabric.

Health CareDriving collaborative thought and knowledge-sharing for information security leaders within healthcare organizations.

FinancialPromoting knowledge sharing and collaboration between information security professionals and leaders within financial industry organizations.

©2017 ISSA • www.issa.org • editor@issa.org • Permission for author use only.