With the spread of the so-called Internet of Things, CISOs and CIOs increasingly have to take care that every device they buy that will connect to their networks will be secure. Another reminder comes with word that a vulnerability announced last month by a security vendor in D-Link WiFi video cameras is more serious that first thought.
According to SecurityWeek.com, there’s evidence bug affects more than 120 of the company’s products, many of which are marketed to by Canadian small businesses. The manufacturer is working on patches.
This also highlights a column this week by security author and CISO Michael Oberlaender on four steps organizations must take to secure their IoT devices:
–if the device holds or transmits sensitive data encrypt traffic with AES256 where symmetric encryption can be used. For cases that involve many users / keys, use asymmetric RSA 2048 bit. For key exchanges over insecure channels, use the Diffie-Hellman protocol. Encoding (e.g. BASE64) is NOT encryption, he stresses, as the decoding function can easily be used for reverse results;
–ensure the solution also allows the use of secure hashes to defeat anyone who might have access to the encryption / decryption keys;
–think how the IoT fits into the entire architecture including backup, high-availability (full double pathways), patching and updates;
–are there open interfaces, and if so how will they be secured?
It’s vital that organizations not be caught unaware of the pitfalls of IoT devices while being dazzled by their potential.