Judging by all the media attention that The Internet of Things (or IoT) gets these days, you would think that the world was firmly in the grip of a physical and digital transformation. The truth, though, is that we all are still in the early days of the IoT.
The analyst firm Gartner, for example, puts the number of Internet connected “things” at just 8.4 billion in 2017 – counting both consumer and business applications. That’s a big number, yes, but much smaller number than the “50 billion devices” or “hundreds of billions of devices” figures that get bandied about in the press.
Of course, the fact that the full promise of the Internet of Things awaits in the distant future, or that there are only 10s of billions of connected devices and not scores of billions of them doesn’t change the reality for you, which is that the Internet of Things already poses a security threat to your organization.
Where does the networking professional worried about Internet of Things based threats start? Here are a few thoughts to consider as you plan your organization’s response:
Know your Known Knowns
The first step in any network security program is to understand and assess the IT assets that you are responsible for securing. This is as true today as it was 30 years ago. And today - as in the past - the biggest challenge that networking professionals face is understanding what is on their network and how it is being used and possibly abused.
To do this, it is sometimes helpful to use the Pentagon’s nomenclature around war planning, thinking in terms of known knowns, known unknowns, and unknown unknowns.
Known knowns are the things you know you know, as former Defense Secretary Donald Rumsfeld put it. They include all your traditional assets: laptops, desktops, servers (including development and test servers), as well as smart phones and tablets. They also include peripheral devices like multifunction printers, photocopiers and so on.
To really know your known knowns, however, you need to see past the obvious and interrogate each of those IT assets to make sure you’ve accounted for any features and functions that could undermine your network security. Furthermore, you need to develop the means of bringing those devices under management.
With smart phones, for example, mobile device management platforms have long been a means of extending control and management to those devices by enforcing patch levels, banning “jailbroken” devices and limiting app store choice. Given the spate of malicious applications showing up on platforms like Google Play, if you’re not paying attention to the security posture of your employees’ and contractors’ mobile phones, you’re taking a big risk.