Technology is moving so fast that it has become difficult to keep up, and even apparently simple devices such as connected home appliances now present opportunities for cyber crime.
This is according to Darron Gibbard, chief technical security officer, EMEA, at Qualys, who was speaking yesterday at the ITWeb Security Summit at Vodacom World. He said that threats are increasingly moving into the IoT space, including smart home devices.
"You have smart home devices such as control systems, electronic thermostats and connected ovens that users can conveniently control using their mobile phone. But security is not widely thought about in the development of these products. The manufacturers tend to give you functionality over security."
Smart devices
In the age of transformation, it had become relatively easy to access these smart home technologies, Gibbard said. "Instead of targeting corporate assets via phishing, you could listen in via the remote control listening devices within the home and get that exact same information. And I would argue that it's simpler to do that than trying to get into the corporate environment, which is well secured. It's important that corporates begin to understand the risks and threats in that environment too."
Qualys had looked into the core principles for security, around giving better visibility and accuracy in the security environment, he said. These included asset management: "We all think we have a configuration management database (CMDB), we think it's accurate and we think we know what assets we have in the environment. But what we typically find through our own surveys and internal research is that there are typically ten percent to 30% more assets than the organisation actually thinks it has. In one case, a client laid claim they had 8 000 assets with IP addresses, but we found they actually had 13 000 on their network. So to get full visibility, it's vitally important that you know what you've got."
Visibility needed to extend to assets in the cloud, he noted. "It's not just about what you have in the network, but now that everything is going into the cloud, you need to know what is going into the cloud and how that data is being used."
As organisations seek scalability, often through public cloud services, they also needed to consider where the data was hosted and whether they had sovereignty, he said. Gibbard also noted that an always-on, connected world presented security problems in that immediacy now drives everything we do and it has become difficult to retrofit security into a project. "The only way this new environment will succeed is for us to engage earlier and get the security bedded in," he said.
"There are no standard architectures or operating systems for IoT, so Qualys is pushing with industry to standardise to make it easier for us to deal with risks and threats," he said.
Share