Intelligent CISO Issue 65 | Page 28

Businesses must recognise that IoT devices are primarily embedded , dedicated computer systems and quite limited at that . becomes ‘ owned ’, it can easily spread to the remainder of the cluster . The privacy issues arise due to the data collection mechanisms which may lead to user profiling and identification of individuals in unforeseen use case scenarios .
Poorly deployed Internet-of-Things ( IoT ) devices have the power to bring an organisation to its knees .
editor ’ s question

?

s we have seen

A recently , unpatched , poorly deployed Internet-of-Things ( IoT ) devices have the power to bring an organisation to its knees .

This is partly due to how IT teams approach IoT security in the first place , it ’ s vastly different to traditional cybersecurity measures .
Traditional security models assume that all elements ‘ inside ’ the network can be trusted . Everyday IoT devices added to company networks increase the number of endpoints and provide backdoor access . A basic rule of thumb in security is that the more devices an organisation has exposed to the Internet , the bigger the risk of attack . It essentially means you are more likely to have neglected devices which are not updated and hence more vulnerable .
The utmost care needs to be taken when deploying IoT devices with regards their life cycle , data collection mechanisms and overall security protocols . The sheer scale of deployment of these limited-function embedded devices in public areas and workplaces can lead to unique attacks . There is also the worry of the domino effect where if one device

Businesses must recognise that IoT devices are primarily embedded , dedicated computer systems and quite limited at that . becomes ‘ owned ’, it can easily spread to the remainder of the cluster . The privacy issues arise due to the data collection mechanisms which may lead to user profiling and identification of individuals in unforeseen use case scenarios .

Businesses must recognise that IoT devices are primarily embedded , dedicated computer systems and quite limited at that . They are often single purpose devices performing specific functions within a wider more complex system . Therefore , the security mechanisms must be equally specialised and aimed at protecting against more targeted attacks which are quite often unique to the functionality of that device .
Adopting security support ecosystems such as large databases of malware signatures is unlikely to find adoption or be implementable on these devices . A more practical solution is to enforce rulesbased filtering to control communications from specific authorised devices .
At the same time , there needs to be appropriate preventive , detective
KEVIN CURRAN , IEEE SENIOR MEMBER AND PROFESSOR OF CYBERSECURITY AT ULSTER UNIVERSITY

Poorly deployed Internet-of-Things ( IoT ) devices have the power to bring an organisation to its knees .

and corrective controls in the form of policies , standards , procedures , organisational structures , software or technology functions and monitoring mechanisms are therefore required to minimise the risks associated with the confidentiality , integrity and availability of information assets within an organisation .
A key aspect of keeping an organisation safe from attacks is to ensure that senior IT management has a more holistic understanding and approach to cybersecurity . It is best practice to adopt a Zero Trust policy .
However , Zero Trust is reliant on strong governance processes . Therein lies the challenge , as it requires enterprises in many cases to enforce new processes across the organisation and this is never easy . Employees also may not take kindly to the added burdens of accessing machines and the reduced access levels enforced by least privilege .
Organisations should also make sure that employees have up-to-date security protection on their devices , such as virus checkers , firewalls and device encryption . It is also crucial that organisations monitor networks 24-7 , looking for potential intrusions and unusual activity on the network . However , how many actually do this and take the appropriate actions , is questionable .
28 www . intelligentciso . com