IoT security needs pen testing approach
IoT security is challenging—largely because the millions of IoT devices in the field can interact with enterprise systems in numerous ways.
Internal systems—Internet of Things (IoT)-enabled door locks and lightbulbs in corporate office buildings, for example—as well as external ones, typically sitting at a remote site (aka an employee’s or contractor’s home more than not these days) and jumping onto the enterprise local area network (LAN) or wide area network (WAN), courtesy of a VPN piggyback.
In addition, devices can be compromised in a couple of ways: (1) the original code from a manufacturer could include bugs or malware (with or without the manufacturer’s knowledge) in it when shipped; or (2) malicious attackers can hijack a unit’s code months later with malware. Once IoT gains access to the network and often its very own IP address, it unleashes all of these security nightmares.
Even worse—and this undercuts security triage—malicious code can prompt malicious actions from devices (such as to change the chemical percentages at a pharmaceutical’s assembly line), contradicting its manufactured purpose. But insidious code might just as easily use a device merely as a network conduit, so it doesn’t matter whether it’s official purpose seems dangerous, given that its goal is to simply access the network and do damage from afar.
With all these avenues for a breach, what is an enterprise CISO or CIO to do? Having a team of benevolent “hackers”/penetration testers repeatedly review the code of every IoT device for nefarious instructions can be cost-prohibitive. Besides, it is unlikely to help the legions of consumer-grade IoT devices sharing the home LANs of your personnel as your security team won’t typically have full access.
To Pen Test IoT Devices or Not?
Still, many argue that pen testing an enterprise’s IoT devices is critical. The questions is, How often is prudent and cost-effective? The answer to that question will vary widely from one enterprise to the next.
Steve Zalewski, the deputy CISO for $6 billion global apparel firm Levi Strauss & Co., said that he sees IoT pen testing as a no-brainer. “These are untrusted unverified devices on my trusted networks,” Zalewski said. “This is immature technology without mature security controls.”
“We have got to bring some rigor,” he continued. “The problem with IoT devices is that security is not considered within the functional capabilities of the devices.”
To read the complete article, visit IoT World Today.