Cyber Security & IoT

In case of cyber security the main question is: who is responsible of the security? Is it going to be company IT department, end user, device manufacturer or some public organization? Or is it possible that responsibility can be “outsourced” to 3rd parties? Responsibility question is not limited only to organizations but should be considered also from private person/property perspective as well. Consensus in responsibility questions must be found and connect it to technical practicalities and tool chain, many of which rely heavily to device management system requirements.

A study by HP in 2014 showed that 70 percent of IoT devices contain serious vulnerabilities. There is undeniable evidence that our dependence on interconnected technology is defeating our ability to secure it, and the situation has grown worse since the study because of increased amount of devices even though the percentage of vulnerable devices amongst new devices might be lower than in the study. The whole study can be found from here:
https://community.hpe.com/t5/Protect-Your-Assets/HP-Study-Reveals-70-Percent-of-Internet-of-Things-Devices/ba-p/6556284#.U_NUL4BdU00

Until we get clear answer to responsibility and agreed standard levels or means to ensure security it can be expected that number of exploits and vulnerabilities will continue rising as it has been during past few years. Especially as IoT is still so early in its evolution and legacy M2M systems, routers and other internet connected devices having strong legacy of neglecting security by default there is huge amount of work to be done before reaching even nearly satisfying level of security.

In general the attackers are divided into two groups: one group interested to attack into target organizations intranet to steal information or to cause damage. The other group is just interested of collecting vulnerable devices into botnet for other purposes (e.g. DDOS attack, spam or mining bitcoins). The latter group is by far larger than the first and easier to defend against by IoT device management system because the attackers are looking mainly for easy targets. The first group on the other hand is very difficult to defend against, depending on the attacker motives. If motives are high enough they will always find a way to penetrate into systems. Fine example is Stuxnet worm that caused large damage to Iran nuclear centrifuges, utilizing multiple zero day vulnerabilities (http://spectrum.ieee.org/telecom/security/the-real-story-of-stuxnet).