As IoT focuses on ease of access, vulnerability management suffers
The task of securing IoT devices requires herculean effort. Like Hercules fighting the Hydra, it often seems that for each vulnerability that gets patched, two more rise up to take its place. For all the good that IoT has done in our personal and professional lives, the reality is that innovation has continued to outpace security, and new IoT devices are still hitting the market without adequate security measures.
This comes as little surprise given the exponential growth that the IoT industry has enjoyed over the past decade. In 2009 there were less than a billion IoT devices in use, according to Statista. By 2020, that number is expected to grow to more than 20 billion. How can security controls keep up? How can IT teams accustomed to dealing with standard OSes like Windows, Linux and Unix adapt to the hundreds, even thousands, of different OSes utilized by IoT devices? Is it even possible to standardize security when the attack surface spans such a broad range of devices?
There are no easy answers, of course, but the task of vulnerability management isn’t going away. Thankfully, there are concrete steps that manufacturers, integrators and end users can take to help move the industry in the right direction.
Building a better baseline through education
One of the most pressing issues in IoT security is the lack of general knowledge. This knowledge gap represents a real problem, and addressing it is a key part of what will move the IoT industry forward and grow consumer confidence. It can be tricky for IT teams unfamiliar with the ins and outs of specific IoT devices to identify which vulnerabilities represent major problems and which don’t. If IT teams don’t understand the context in which a device operates, it can lead to drastic steps such as unnecessarily isolating a seemingly vulnerable device from the network.
The matter is compounded by the fact that most IT security departments also expect IoT devices to have the same security and mitigation controls as the enterprise servers that they put on their network. Most IoT devices are application-specific and have limited memory and computing power. They also rarely have the full OS loaded, and many of the security controls are also not available for mitigation. It’s important for end users to develop a network security baseline specific to IoT devices, rather than trying to take the IoT device and fitting it into their current network security guidelines.
Reputable manufacturers regularly issue patches to correct any vulnerabilities they have identified. In fact, most will even have a contact form where users can report potential vulnerabilities that the company has yet to patch. But it’s important to realize that these things take time. It takes an average of 38 days to patch a vulnerability, according to tCell’s “Security Report for In-Production Web Applications,” but savvy attackers know that most organizations won’t install a patch the day it becomes available.
In my experience, it generally takes enterprises between 120 and 180 days to actually install a patch. This creates a window during which many attackers will attempt to use the unsecured device to infiltrate a network. Helping users understand the importance of immediate patching can help mitigate this issue. To make matters worse, attackers have become faster than ever at exploiting these vulnerabilities. Recent research from Gartner indicates that the average time between a vulnerability being reporting to the time it is exploited is just 7.72 days in 2017, a dramatic drop from 13.5 days in 2016 and 25.4 days from 2008-2015. The window of opportunity for attackers is bigger than ever.
Similar education is needed regarding product life spans. Responsible companies will generally attempt to patch older products for as long as they can, but at a certain point every device becomes obsolete. Many devices reach a point where there is no longer enough space on the device for the installation of a patch meant for a newer product. The fact is that, the longer a device is on the network, the more vulnerable it becomes. In this way, product longevity can actually become a negative because it can cause vulnerable devices to remain connected to a network long past the date that the manufacturer stops supporting them. Helping IT teams gain a firmer understanding of the intended life span of a product can lessen this problem as well.
How can certifications help?
Another way to help close the knowledge gap is through certifications. These days, certifications are everywhere. From car companies to lightbulb manufacturers, it’s hard to find a consumer product that isn’t certified by some regulatory board or another. But for some reason, IoT devices have largely escaped this excess of certification, resulting in a market that is flooded with devices that can be difficult to distinguish from one another. This is a problem, particularly for customers searching for devices like connected surveillance cameras where evaluating available security options is an obvious priority.
Thankfully, this has already begun to change as more manufacturers embrace the idea of third-party certification. Customers are growing more discerning as they become better informed, and requests for proposals today often specifically ask about certifications and recent audits. Customers increasingly want to verify that they’re working with a responsible company that will stand by their products, manage vulnerabilities and issue patches as needed. These certifications have finally given them a way to do it.
It’s something of a self-fulfilling prophecy; the more responsible companies buy into the idea of third-party validation, the more exposure customers have to that validation and the more trustworthy it becomes. This type of symbiotic relationship benefits everyone, but the lack of network security baseline standards for IoT devices means it will remain an uphill climb in the short term. I am hopeful that an international organization will develop an IoT certification that can be globally recognized, unifying the many regional certifications that enterprises must currently navigate.
GDPR sets the standard
Legislation is another important part of the equation, although the U.S. currently lacks comprehensive breach notification regulations on a federal level. Instead, the U.S. allows individual states to create their own guidelines. The resulting mishmash of laws and statues has created a difficult environment for organizations operating across state lines, as it can be difficult to know when it’s necessary to disclose a breach or vulnerability to users. The National Conference of State Legislatures provides a handy guide that illustrates just how varied these regulations can be.
But fear not, because there is hope. The E.U.’s much-discussed General Data Protection Regulation (GDPR) represents perhaps the most sweeping change to international privacy law in history. GDPR grants individuals greater control over their personal information while unifying Europe’s data protection regulations under a single, easier-to-understand umbrella.
The most relevant section of GDPR for the purposes of vulnerability management is Article 25, which states that companies processing personal data, such as manufacturers of IoT devices, must have appropriate data protection measures in place. Rather than attempt to implement specific security measures that would quickly become obsolete as technology advances, GDPR instead outlines the mindset with which companies must approach the problem.
For now, GDPR only applies to companies operating in Europe, but savvy manufacturers are already anticipating the enactment of similar regulations elsewhere throughout the world. The winds of change are blowing toward greater security, and manufacturers must recognize that in the public mind, they bear the majority of the responsibility for vulnerability management. Integrators and contractors are often overlooked in U.S. regulations, which can put manufacturers in a difficult position, which is an issue that GDPR’s Secure by Default requirement has addressed by allowing integrators to be fined for failure to properly install or configure otherwise secure equipment.
This further underscores the importance of education initiatives and the fact that integrators and contractors must be included in those efforts. Manufacturers are often accused of making their devices too open, an accusation that overlooks the fact that ease of access is one of IoT’s biggest selling points. What’s important is having appropriate controls in place, and manufacturers have expressed frustration with the fact that the integrators putting their products into place have failed to understand how to appropriately apply those controls in the best interest of the customer. After all, what good does it do to design a product with security in place by design and default if the customer is never made aware that the protections exist? By ensuring that integrators have a more intimate understanding of IoT devices, this problem can be mitigated.
Working toward a more secure future
The rapid growth of IoT appears unlikely to subside anytime soon. Innovative new devices will continue to enter the market, providing exciting new tools and resources across a broad range of industries. But with these tools will come security challenges, and manufacturers, integrators and users must all be prepared to do their part to address them.
Legislation will come and certifications will grow in importance, but the key to effective vulnerability management is — and will remain — education. From available security controls to life cycle management, each party has a role to play and each must understand the steps they can take to improve device security.
All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.