Tuesday, February 21, 2017 By Kevin Beaver, IANS Faculty
Well, another RSA Conference has come and gone. I attended this year’s show and, as expected, saw and heard a lot of the same stuff that we've been hearing over the past several years. The threat landscape is evolving. The cloud is still a big topic, especially if you’re a security vendor rebranding and pushing your product/service to be cloud-friendly. The “legal” and “career” tracks at the conference helped point security professionals in the right direction (and I actually think there’s a lot of real value in this).
And finally, "artificial intelligence" stood out to me as the new security term for this year. It didn’t quite overshadow the term "cybersecurity" (which unfortunately seems to be ingrained into the vocabularies of all but us veteran security practitioners), but there certainly seems to be a lot of pressure being put on artificial intelligence to solve all of our security problems for the foreseeable future. We'll see how that goes.
Ultimately, though, one thing that did stand out to me in a positive way is all of the focus being put on IoT security. There’s no doubt IoT is that next wave of systems that we are going to be responsible for locking down, not unlike wireless networks and mobile devices in recent years. The devices are small. Their software can be unfamiliar. Heck, sometimes we don't even know the devices exist or what type of risks they’re creating!
But here's the thing about IoT: Just like wireless, mobile and even the cloud, IoT threats and vulnerabilities waiting to be exploited are really nothing new. Sure, the threat vectors and attack mediums may be a little different than what we're used to seeing, especially when IoT devices are creating business risks from afar (i.e., employees' home networks and vendor-related systems). But at the end of the day, it’s still about the basic security flaws that exist in IoT (a number of which I heard talked about at RSA), which include:
- Weak passwords
- Missing software updates
- Unencrypted or poorly configured communication protocols
- Unsecured storage
- Unmonitored systems
- Systems that do not fall within the scope of penetration tests and vulnerability assessments
- Device manufacturers that don't understand security
- IT shops that can’t find the time to manage IoT security
- Poorly implemented fixes and improperly managed devices
- Security policies that are unknown, don't address IoT or, worst of all, are unenforced
I could go on and on, but you get my point. The bottom line is that vulnerabilities affecting IoT devices – as well as the fixes necessary to get things under control – are nothing new. In fact, most organizations already have one or more programs, processes or controls in place to manage all of this. It's just a matter of bringing IoT devices into the scope of security oversight and, of course, addressing the basic security flaws present across your network. Unless and until that happens, none of the newfangled, IoT-centric security technologies at RSA and elsewhere will be helpful to you.
I believe IoT adds a whole new layer of complexity and risk to any given business network. But be careful chasing down new tools, technologies and processes. Everything you need to get IoT under control is right before your eyes.
The Value of RSA
Getting back to the show, I know it sort of sounds like I'm trying to talk myself and others out of attending future RSA conferences. That's certainly not my intent. The learning opportunities, networking and camaraderie alone (not to mention great food and drink) make it a worthwhile visit, in my opinion. If you have not attended the RSA conference before, you need to. Put it in your budget for next year. They have a very reasonable, low-cost offering to get you in and see not only the vendors’ presentations, but many of the general sessions as well.
Whether you lead an entire information security program, serve as an independent information security consultant or are simply interested in learning more about the field, you should check out the RSA Conference. Just don't forget about locking down your ever-growing IoT environment in the meantime so you’ll be in better position next year when RSA Conference distracts us with something new and shiny.