Recent months have seen growing concerns about the security challenges of the connected world being ushered in by the Internet of Things. With more devices and sensors being connected to the Internet, the potential for hackers to disrupt life in unexpected ways is rapidly evolving. So far, however, most discussions of the threat have focused either on household devices such as hacked baby monitors and smart toilets or on control systems tied to critical infrastructure. Less attention has been paid to the threat connected systems might pose in the enterprise office environment, experts have noted.
While the focus on enterprise security is generally about protecting digital assets, the Internet of Things introduces a whole new variety of physical attacks such as hackers causing fires, overloading networks or opening locks, Aspect Security CEO Jeff Williams told Dark Reading. The average enterprise environment contains network devices, physical security systems and machine-to-machine communications that all become targets for attackers.
In addition to posing physical dangers, these connected devices can offer a vector for hackers to get inside an enterprise network environment and begin targeting other systems, SecureState security researcher Spencer McIntyre added. The biggest threats tend to be the devices that are small enough to not register on administrators’ lists of priorities but significant enough to be running embedded Windows or Linux systems, he told Dark Reading.
“These devices are running software that is well-known enough that there are vulnerabilities in them, and these vulnerabilities can be leveraged by attackers,” McIntyre said. “A lot of times it’s all that is needed by an attacker to be able to pivot into a network and gain access into more systems.”
Improving embedded device design
The security world tends to focus on protecting more full-featured systems, explained HD Moore, chief research officer at Rapid7. To catch up with consumer operating systems, the embedded device world needs to take the same approach on security as has happened with desktop and mobile environments, he said.
Device manufacturers can mitigate the threat their products pose to enterprise customers through more conscientious design, according to Chris Clearfield, principal at risk consulting firm System Logic. In a Harvard Business Review blog post, he pointed to the security dangers introduced by the Internet of Things and recommended engineers working on embedded systems take a few specific software security steps. Simple approaches such as training developers to focus on security and applying secure methodologies that leverage tools like source code analysis software can improve code design.
“Educating engineers on common cyber threats and design paradigms that have evolved to mitigate attacks would allow them to integrate existing robust security protections into the systems-engineering practices that they already use to build reliable, stable systems,” Clearfield wrote.
In general, incorporating a culture of skepticism that challenges the security assumptions in devices and employs tactics such as peer code review to search for errors can go a long way toward instilling quality, Clearfield added. He also suggested approaches such as using modular hardware and software designs, which isolate different parts of the system from each other and make it difficult for one compromised component to be used to exploit another, as well as taking advantage of open security standards such as TLS (for encrypting communications) and OAuth (for authentication), which are vetted by large communities of experts.
As enterprises look to protect themselves from the potential threats created by the Internet of Things, vendors may find that there is more pressure to secure connected devices and prove that buying a new copy machine or phone system isn’t going to expose companies to new outside risks. By incorporating security into the embedded software design process, vendors can provide the reassurance of safety enterprises need.
Software news brought to you by Klocwork Inc., dedicated to helping software developers create better code with every keystroke.