But while the IoT threats are obviously expanding and evolving, both Fry and Harrington said security basics remain the same.
“We’re seeing the same problems we saw 20 and 50 years ago,” Fry said, “where we have to go back and find whether devices are being properly patched, physically secured or being allowed to communicate without restriction. We need to make sure this is something we are looking for, and that if an attacker is using something like this device, we can detect and analyze it.”
Harrington said he believes the IoT, even with the new wireless protocols involved, doesn’t even amount to a new paradigm. “The IoT has changed many things,” he said, “but from a security perspective, it’s the same challenge as dealing with any other security risk. It requires a programmatic approach – threat modeling.”
That, he said, has four components:
- Identify the assets your organization cares about protecting.
- Identify your potential adversaries – nation states, organized crime or other kinds of groups.
- Understand your attack surface – the IoT is just one of them.
- Know how adversaries are likely to attack.
“That approach will help companies think through this and any security problem,” he said. ”Then you can start thinking about tools and techniques.”
Sign up for Computerworld eNewsletters.