Alex Cox, senior manager, RSA FirstWatch
Alex Cox, senior manager, RSA FirstWatch

A toaster named Brad that connects to the internet, tweets and asks to be used? 

While we aren't quite there yet, the Internet of Things (IoT) promises to enhance human existence by providing new capabilities to existing technologies and applying new technologies to existing situations. 

Are there security considerations of such connectivity? Will security professionals have to address these new connections and how they impact the enterprise and its security posture? Will attackers discover new ways to leverage these technologies to further breach networks and accomplish their goals?

The short answer is “Yes, of course,” but the truth is the IoT and attackers using these “things” for compromise is not a new concept. Many existing connected devices, such as webcams and printers, run an embedded version of Linux, or Windows XP and are vulnerable to many of the exploits and exposures that the connected server or desktop is. In fact, the operationalizing of these sorts of attacks is already here. The metasploit framework, a common pen testing tool used for the automated compromise of endpoints, contains exploits for the Universal Plug and Play protocol which many connected devices use to connect to a TCP/IP network. As new devices are connected,  new techniques will develop, and defenders will need to come up with new methods of defense.

These devices generally fall outside of your enterprise patch cycle and the availability of updates to fix vulnerabilities are usually slow to appear or non-existent. The future of the IoT will far outpace what we see today, and we are already seeing the intro of this via wearable computing technologies, internet-connected learning thermostats, and more. While today's devices are mostly “dumb,” the future will bring devices that use predictive technologies, intra-device communication and sensor networks to respond to their environment in a “smart” way, which will considerably broaden the attack surface of such connectivity. 

Physical considerations are also of note here. Most defenders are currently focused on the implications of network and endpoint defense. That is, defending the network from intrusion or the endpoint from data loss. The IoT brings the additional specter of kinetic manifestation of information security issues.  For example, if a home or business security system connects to the internet to allow remote arm and disarm, or locking and unlocking of doors, then a compromise of that system might allow an attacker to pivot into the internal network and give himself physical access to the facility. This is a risk area that is usually relegated to building security. Expanding that access to life or business support systems in certain environments could extend such compromise into a life-threatening or business-critical situation. 

So what's the answer? The answer is to use an intelligence-focused approach to evaluate your risk and respond accordingly. Ask yourself a number of questions to realistically identify the threat and its capability to impact your network. Do I understand the presence, and security implications, of these devices on my network?  If a bug is “unpatchable” can I put other defenses in place to minimize exposure? Do I understand how attackers may be leveraging these devices currently? Have I tried to leverage these devices the way an attacker would to see what is possible? Do I have visibility into the places where these devices are located so I have notice of unusual or malicious behavior? Do I have areas where a compromise might have kinetic impact on employee safety or business critical operations?

Introspection, thoughtfulness and a healthy dose of paranoia will help you through these issues!